KANSAS CITY — A class action lawsuit has been filed in the federal court alleging that Heartland Regional Medical Center and Cerner Corporation failed to adequately protect sensitive personal and health information of patients and employees during a January 2025 cyberattack.
Heartland Regional Medical Center is doing business as Mosaic Life Care and Cerner Corporation is doing business as Oracle Healthcare, according to a complaint removed Aug. 29 in U.S. District Court for the Western District of Missouri, Kansas City Division.
Dennis Winchell filed the complaint individually and on behalf of others similarly affected, claiming negligence, breach of implied contract and unjust enrichment.
The breach involved the unauthorized access and acquisition of personally identifiable information (PII) and protected health information (PHI), including names, Social Security numbers, driver’s license numbers, dates of birth, treating physicians, dates of service, medication information, insurance details and treatment or diagnostic information.
Mosaic confirmed that suspicious activity was detected on Jan. 22, but the company did not verify that patient information had been accessed until April 29, when an unknown party contacted Mosaic claiming to possess such data.
Notices to affected individuals were not sent until June 27, several months after the breach was discovered, the complaint states.
Mosaic operates hospitals, clinics and medical centers in St. Joseph, Maryville and Albany, serving approximately 270,000 residents across 35 counties in Missouri, Kansas, Nebraska and Iowa, and is the region’s largest employer with more than 4,000 employees.
Oracle Health/Cerner provides healthcare data services, including data migration, for Mosaic.
Winchell alleges that both entities maintained sensitive information on inadequately secured networks, which were then targeted by cybercriminals who exfiltrated highly sensitive data.
The complaint asserts that Mosaic and Oracle failed to implement reasonable cybersecurity procedures despite known risks in the healthcare industry and guidance issued by federal agencies, including a January 2023 presentation by the U.S. Department of Health and Human Services warning providers about threats from ransomware groups such as Royal and BlackCat.
The suit claims the defendants failed to properly monitor their systems, allowing cybercriminals nearly a month of access and delayed notifying victims while providing only limited support such as one year of credit monitoring upon request.
Winchell contends that as a result of the breach, he and others face a heightened risk of fraud and identity theft, including the potential for fraudulent financial accounts, government benefits, tax returns, medical claims and false driver’s licenses being created in their names.
Winchell argued that victims will be forced to monitor his accounts for years, incur out-of-pocket expenses for credit monitoring and protective measures and may suffer direct and indirect financial losses.
The lawsuit alleges that the defendants violated legal obligations under the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act (HIPAA) by failing to maintain adequate security, disregarding warnings of increased cyber threats and misrepresenting their ability to safeguard private information.
Winchell is seeking compensatory damages, reimbursement for expenses, long-term credit monitoring, annual security audits and declaratory relief mandating improved cybersecurity measures. He is represented by George E. Kapke Jr. and Michael J. Fleming of Kapke & Willerth in Lee’s Summit; and Gary E. Mason and Danielle L. Perry of Mason LLP in Washington D.C.
U.S. District Court for the Western District of Missouri, Kansas City Division case number: 4:25-cv-00681
