Why Should Delaware Care?
ChristianaCare is Delaware’s largest health system, and it treats thousands of patients. A new lawsuit claims sensitive personal information like social security numbers and medical records were breached in a cyberattack.
After a data breach last year where an untold amount of patient information was harvested and disclosed, ChristianaCare and one of its third-party vendors are facing a class-action lawsuit claiming they acted negligently and continue to “obfuscate” details of the breach.
The lawsuit was filed Dec. 17, 2025, weeks after a public notification from ChristianaCare announcing the breach, by two named plaintiffs, Chase Stout, a Newark resident, and Lisa Addi, from North East, Md.
Cerner Corporation – also known as Oracle Health – a third-party vendor hospitals use to store patient information and data, is also named in the complaint.
The plaintiffs are seeking restitution, damages, and asking a judge to prevent the hospital and Oracle from “further deceptive practices and making untrue statements about the data breach and the stolen sensitive information.”
The class-action suit comes on the heels of a proposed legal settlement between patients and another Delaware health system in Kent County, Bayhealth, that would see the hospital set aside $2.5 million for patients impacted by a data breach in 2024, the News Journal reported.
According to this latest lawsuit, the ChristianaCare data breach occurred in January 2025. A November press release said Oracle had notified the hospital in April that “an unauthorized third party” had gained access to some of its legacy systems.
At the end of September, the hospital received a list from Oracle of affected patients and the type of information that may have been impacted in the breach, like Social Security numbers and medical records, the press release said.
The press release from the hospital did not specify how many patients were impacted, and the lawsuit claims that ChristianaCare and Oracle “continue to obfuscate the details of the breach as well as the nature of the breach.”
Still, the hospital did not make its public announcement of the breach until near the end of November.
“Due to intentionally obfuscating language and a lack of formal notification, it is unclear how long it took defendants to discover that they had been subject to a breach and how long cybercriminals had unfettered access to plaintiffs’ and the class’s most sensitive information,” the complaint said.
Lawyers for the plaintiffs did not respond to a request for comment. A spokesperson for ChristianaCare said the hospital does not comment on pending litigation.
ChristianaCare did not answer questions from Spotlight Delaware about how many patients were impacted, nor why it waited months to tell the public about the breach.
In its November press release, the hospital said it had sent out letters to patients that had been impacted offering “a complimentary two-year membership to credit monitoring and/or minor identity protection services.”
Oracle also did not respond to a request for comment.
The plaintiffs alleged that Oracle has yet to send patients notifications about their impacted data, and that the data breach was preventable. They also claimed Oracle failed to properly secure the data and prevent the leak of data.
“In other words, defendants’ cyber and data security systems were completely inadequate and allowed cybercriminals to obtain files containing a treasure trove of thousands of its patients’ highly private sensitive information,” the complaint said.