Delayed Breach Disclosures Are Quietly Eroding Healthcare’s Cyber Trust

As breach fatigue sets in across the healthcare sector, a quieter and more corrosive threat is emerging, not just the frequency of cyberattacks, but the time it takes for patients and providers to learn about them. Recent breach disclosures involving Wyandot Center, ChristianaCare, and Oracle Health (formerly Cerner) have once again illustrated a systemic failure: the timeline between compromise and communication remains dangerously long.

In each case, critical health and identity data were exposed. In each case, weeks or even months passed before affected individuals were informed. And in each case, the organizations involved have yet to publicly confirm how many patients were impacted. These patterns represent a growing liability in healthcare’s data stewardship model.

A Common Pattern, an Unacceptable Lag

On November 19, Wyandot Center disclosed that it had suffered a network intrusion in late September 2025. The attackers gained access to sensitive data ranging from medical record numbers and Social Security numbers to diagnosis and prescription information. Yet it took more than six weeks to complete the review and confirm what data had been exposed, a delay that left patients unaware of the risks they faced in real time.

At ChristianaCare, the situation was even more opaque. A breach of legacy servers hosted by Oracle Health was discovered as early as January 2025, but ChristianaCare did not receive identifiable patient data until late September. That delay was attributed to a law enforcement request. Regardless of justification, the result was a nine-month gap between compromise and patient notification.

In both examples, the actual number of affected patients remains unknown. These gaps, both in time and in transparency, undermine the foundational principle of patient trust and call into question whether healthcare organizations are structurally capable of managing data breach response at the scale required by modern threats.

The Regulatory Ceiling Is Too Low

Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities must notify affected individuals within 60 days of discovering a breach involving protected health information (PHI). But that window is both generous and vague. It allows for internal review and investigation, but sets no standard for how quickly a breach must be discovered, nor does it impose any mandate to disclose the scale of exposure unless required by the Office for Civil Rights (OCR).

In an era where ransomware dwell time, the average number of days attackers remain undetected, can exceed three weeks, this gap is consequential. It means attackers can access, exfiltrate, and potentially monetize PHI while both providers and patients remain unaware. By the time the formal notification clock starts, the damage may already be irreversible.

A 2023 GAO report criticized OCR for failing to modernize breach notification enforcement, noting inconsistent penalties and limited public visibility into delayed disclosures. Until that changes, the current framework will continue to favor institutional delay over proactive disclosure.

The Vendor Variable: Weak Links in the Chain

The Oracle Health breach illustrates a second layer of complexity: healthcare delivery organizations are increasingly dependent on third-party vendors for EHR hosting, imaging systems, and patient portals. Yet many of these vendors operate under separate breach notification obligations that do not directly align with those of the covered entities they serve.

In the case of ChristianaCare, Oracle Health was the custodian of the compromised data. While the law enforcement delay in disclosure was legally defensible, it underscores the fragile position of providers who do not control their own data infrastructure. When vendors suffer breaches, health systems often learn about them late, incomplete, or after reputational damage has already been done.

This dynamic is further complicated when vendors delay quantifying exposure. In Oracle’s case, full patient identification data was not provided to ChristianaCare until nine months after the initial compromise. Health systems must develop stronger contractual agreements and service-level requirements that define breach timelines and reporting obligations in measurable terms.

Behavioral Health Under Greater Threat, With Less Resilience

The Wyandot Center case highlights a particularly concerning trend: behavioral health and community-based providers are facing more targeted cyberattacks, often with fewer resources and weaker cybersecurity posture. According to HIMSS, behavioral health centers are disproportionately vulnerable due to legacy systems, budget constraints, and limited staffing for cybersecurity.

Yet the data they hold is among the most sensitive in healthcare. Information about mental health diagnoses, medications, substance use history, and provider interactions can be weaponized in both social and financial contexts. For these organizations, a breach is a profound reputational and clinical risk.

The OCR breach portal currently does not list Wyandot Center’s incident, suggesting that a full assessment is still underway. But the delay in public disclosure, even when preliminary findings were available, signals a lack of preparedness for breach response at the community level. Federal support, regional information sharing, and tailored technical assistance are urgently needed to close this gap.

Strategic Risk, Not Just Compliance Exposure

For executive leadership teams, the lesson is about strategy. Data breaches are no longer episodic failures. They are continuous events embedded in the operating risk of every health system, behavioral health provider, and digital health vendor.

Delayed notification, incomplete transparency, and vague impact assessments are not sustainable strategies. They increase exposure to class-action litigation, amplify reputational harm, and erode the trust that underpins digital health adoption.

Boards and C-suites must revisit incident response plans, audit their breach readiness protocols, and define thresholds for immediate internal alerts and external disclosures. These plans must reflect the multi-actor nature of data stewardship: vendor failures, legacy systems, and cloud platforms all play a role.

Furthermore, breach readiness should be stress-tested regularly. Tabletop exercises must include realistic simulations of delayed third-party disclosures and conflicting legal obligations. Executive leaders must be empowered to act on incomplete information and communicate to patients with clarity, even when full details are not yet confirmed.

Rebuilding Trust Requires Urgency and Accountability

The pattern emerging from recent disclosures is not just technical failure, but leadership inertia. Patients are waiting too long to learn that their data has been compromised. Providers are waiting too long to receive the information they need to act. Regulators are waiting too long to publish incidents that are already weeks or months old.

Rebuilding trust in healthcare’s digital infrastructure will require more than credit monitoring offers and breach notification templates. It will require speed, clarity, and accountability across the entire data lifecycle, from storage and access to detection and disclosure.

That process starts not with new regulations, but with executive decisions made today. Silence, delay, and ambiguity are no longer acceptable.