KLAS Research characterized partnership and responsiveness as key drivers of customer satisfaction
Epic Systems has bolstered its status as the dominant player among vendors of electronic health records (EHR) software, winning nearly 70% of new hospital contracts in 2024. Most, if not all, of these rollouts will include clinical laboratory data imported into the EHR system.
According to a recent market share report from KLAS Research, Epic added a net 176 acute care multispecialty hospitals in 2024, marking its largest-ever annual net gain, KLAS reported. Meanwhile, Epic’s largest rival, Oracle Health, saw a net loss of 74 hospitals during the year. Meditech, the No. 3 EHR vendor, saw a net decline of 57 hospitals.
The report, titled, “US Acute Care EHR Market Share 2025,” was based on interviews with healthcare organizations as well as data from vendors and other sources, KLAS said.
“Across all vendors, the level of partnership has emerged as a key differentiator,” KLAS stated in its report. “A vendor’s reputation for listening to customers, taking feedback, and implementing requested changes greatly impacts customer satisfaction—often translating to gains in overall market share.”
In their KLAS report, authors Bradley Hunter (left) and Paul Warburton (right) wrote, “Though still high overall, acute care EHR purchase energy slightly cooled in 2024. Health systems continued to drive most of the decisions.” Photo copyrights: KLAS Research.)
Drivers of Epic’s Success
Among large health systems—defined as those with more than 10 hospitals—KLAS noted the following market share for EHR vendors:
Epic—48%.
Oracle—27%.
Meditech—15%.
All other EHR vendors—10%.
Among all acute care hospitals, Epic’s market share is 42.3% compared with 22.9% for Oracle and 14.8% for Meditech.
Epic also dominates in terms of percentage of hospital beds, with a 54.9% market share compared with 22.1% for Oracle and 12.7% for Meditech.
Overall, acute care EHR purchases declined in 2024, as 272 hospitals bought an EHR system, compared with 319 in 2023, KLAS reported.
The report attributed Epic’s success to “the stability and interoperability capabilities of the product as well as generally high satisfaction among current customers. Beyond strictly technological considerations, Epic’s reputation for customer partnership has brought them to the forefront of most EHR considerations.”
Oracle’s Market Decline
For the first time, Oracle declined to offer a list of new contracts, KLAS reported. To arrive at its estimates for the company, KLAS said it used “publicly available resources and our standard internal research methods.”
What accounts for Oracle’s market decline? “As has been the case historically, healthcare organizations continue to cite poor partnership and a lack of follow-through on promises as some of their biggest concerns,” KLAS reported, adding, “While many Cerner customers hoped the 2022 acquisition by Oracle Health would lead to relationship improvements, the vendor’s loyalty and relationship ratings have dropped over 10 points since November 2021 (just before the announced acquisition).”
On the other hand, current and potential Oracle customers have expressed “cautious optimism” due to recent technology developments, KLAS reported, including rollouts of Clinical AI Agent, Seamless Exchange, and Oracle Cloud Infrastructure, plus announcements of a new EHR system and patient portal.
“More than one-third of customers report that over the last six months, there has been a positive change in the vendor’s execution/delivery,” KLAS reported. “This represents a notable change from the overall sentiment during the last couple of years.”
New EHR installations may require new laboratory information system upgrades and interfaces
Electronic health record (EHR) systems continue to be one of the costliest investments healthcare providers can make. And the company that holds the largest portion of the EHR market is Epic, with anywhere from 36% to 44%, according to various published reports and research briefs.
Healthcare executives remorseful about the cost of their hospital’s EHR may take solace in Becker’s Health IT’s recent list of the “most expensive” Epic EHR installations. It is common for the largest projects to cross the $1 billion mark.
Clinical laboratory leaders tasked with interfacing their hospital’s laboratory information system (LIS) with their healthcare system’s EHR may find the following information useful. The investment in time begins months before the actual EHR implementation.
One example is Lake Charles Memorial Health System (LCMHS) Lake Charles, La. In a blog post, the health system reported that it took 18 months for its physicians, clinicians, and staff to prepare for the installation of their new Epic MyChart EHR.
“There are lots of things we wish our customers would do to make sure their system runs well. Making sure every user is trained, for example. Putting in upgrades quickly. Making sure that the hardware runs fast enough,” wrote Judy Faulkner, Epic founder and CEO, in an Epic blog post.
“The LCMHS staff and physicians have championed this project from the beginning, and I have them to thank for the success of this EMR transition and look forward to seeing the positive impacts as we settle into the operational changes and new experiences Epic brings Lake Charles Memorial Health System and those we serve,” said Devon Hyde (above), President and CEO of Lake Charles Memorial Health System, about the provider’s transition to a new Epic MyChart EHR. (Photo copyright: Lake Charles Memorial Health System.)
Top 10 Most Expensive Epic EHR Installs of 2024
While Becker’s noted that the following compilation is “not an exhaustive list,” here’s its list of the top 10 most expensive Epic EHR projects based on publicly available sources.
KLAS reported that among the healthcare leaders KLAS interviewed:
27% had “an above-average EHR post-implementation” likely due to “providing technological foundation needed” at go-live, while,
40% said implementation of the EHR “had significant misses” and,
22% reported “average satisfaction with room for improvement.”
Providing staff with adequate training may smooth the way for new EHRs, according to the KLAS report. “Often, leaders wish they had invested in more training time and workflow-specific training in the context of patient care,” the authors wrote.
New EHR May Mean New LIS
Pathologists and clinical laboratory leaders may need to transition the laboratory information system (LIS) when the healthcare organization moves to a new EHR. At the very least, new interfaces will be required.
While a new EHR and LIS requires significant investments, they also provide opportunities for needed upgrades, competitive advantage, and security.
Nearly 100,000 patients submitted saliva samples to a genetic testing laboratory, providing insights into their disease risk
Researchers at Mayo Clinic have employed next-generation sequencing technology to produce a massive collection of exome data from more than 100,000 patients, offering a detailed look at genetic variants that predispose people to certain diseases. The study, known as Tapestry, was administered by doctors and scientists from the clinic’s Center for Individualized Medicine and produced the “largest-ever collection of exome data, which include genes that code for proteins—key to understanding health and disease,” according to a Mayo Clinic news release.
For our clinical laboratory professionals, this shows the keen interest that a substantial portion of the population has in using their personal genetic data to help physicians identify their risk for many diseases and types of cancer. This support by healthcare consumers is a sign that labs should be devoting attention and resources to providing these types of gene sequencing services.
As Mayo explained in the news release, the exome includes nearly 20,000 genes that code for proteins. The researchers used the dataset to analyze genes associated with higher risk of heart disease and stroke along with several types of cancer. They noted that the data, which is now available to other researchers, will likely provide insights into other diseases as well, the news release notes.
“What we’ve accomplished with the Tapestry study is a blueprint for future endeavors in medical science,” said gastroenterologist and lead researcher Konstantinos Lazaridis, MD (above), in the news story. “It demonstrates that through innovation, determination and collaboration, we can deeply advance our understanding of DNA function and eventually other bio-molecules like RNA, proteins and metabolites, turning them into novel diagnostic tools to improve health, prevent illness, and even treat disease.” Some of these newly identified genetic markers may be incorporated into new clinical laboratory assays. (Photo copyright: Mayo Clinic.)
How Mayo Conducted the Tapestry Study
One notable aspect of the study was its methodology. The study launched in July 2020 during the COVID-19 pandemic. Since many patients were quarantined, researchers conducted the study remotely, without the need for the patients to visit a Mayo facility. It ran for five years through May 31, 2024. The news release notes that it’s the largest decentralized clinical trial ever conducted by the Mayo Clinic.
The researchers identified 1.3 million patients from the main Mayo Clinic campuses in Minnesota, Arizona, and Florida who met the following eligibility criteria:
Participants had to be 18 or older,
they had to have internet and email access, and
be sufficiently proficient in speaking and reading English.
More than 114,000 patients consented to participate, but some later withdrew, resulting in a final sample of 98,222 individuals. Approximately two-thirds were women. Mean age was 57 (61.9 for men and 54.3 for women).
“It was a tremendous effort,” said Mayo Clinic gastroenterologist and lead researcher Konstantinos Lazaridis, MD, in the news release. “The engagement of such a number of participants in a relatively short time and during a pandemic showcased the trust and the dedication not only of our team but also of our patients.”
He added that the researchers “learned valuable lessons about some patients’ decisions not to participate in Tapestry, which will be the focus of future publications.”
Three Specific Genes
Enrolled patients were invited to visit a website, where they could view a video and submit an eligibility form. Once approved, they completed a digital consent agreement and received a saliva collection kit. Participants were also invited to provide information about their family history.
Helix, a clinical laboratory company headquartered in San Mateo, Calif., performed the exome sequencing.
Though Helix performed whole exome sequencing, the researchers were most interested in three specific sets of genes:
Patients received clinical results directly from Helix along with information about their ancestry. Clinical results were also transmitted to Mayo Clinic for inclusion in patients’ electronic health records (EHRs).
Among the participants, approximately 1,800 (1.9%) had what the researchers described as “actionable pathogenic or likely pathogenic variants.” About half of these were BRCA1/2.
These patients were invited to speak with a genetic counselor and encouraged to undergo additional testing to confirm the variants.
Tapestry Genomic Registry
In addition to the impact on the participants, Mayo Clinic’s now has an enormous amount of raw sequencing data stored in the Tapestry Genomic Registry, where it will be available for future research.
The database “has become a valuable resource for Mayo’s scientific community, with 118 research requests submitted,” the researchers wrote in the news release. Mayo has distribution more than a million exome datasets to other genetic researchers.
“What we’ve accomplished with the Tapestry study is a blueprint for future endeavors in medical science,” Lazaridis noted. “It demonstrates that through innovation, determination, and collaboration, we can deeply advance our understanding of DNA function and eventually other bio-molecules like RNA, proteins and metabolites, turning them into novel diagnostic tools to improve health, prevent illness, and even treat disease.”
Everything about this project is consistent with precision medicine, and the number of individuals discovered to have risk of cancers is relevant. Clinical laboratory professionals understand these ratios and the importance of early detection and early intervention.
Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Inability to access clinical laboratory test results forced hospitals to suspend critical procedures and surgeries causing major disruptions to healthcare
Cyberattacks continue to shut down the ability of hospitals to process orders for clinical laboratory tests, medical imaging, and prescriptions. One such cyberattack recently took place against Ascension, the largest nonprofit Catholic health system in the United States. It took more than a month for the health network’s electronic health record (EHR) system to be fully restored, according to a cybersecurity event press release.
Immediately following the event, Ascension announced it had hired a third party company to resolve the fallout from the cyberattack.
“On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cybersecurity event. … Access to some systems have been interrupted … We have engaged Mandiant, a third party expert, to assist in the investigation and remediation process, and we have notified the appropriate authorities,” a press release states.
Based in Reston, Va., Mandiant is an American cybersecurity firm and a subsidiary of Google.
Cyberattacks are happening more frequently and medical professionals need to be aware that patient care can be severely disrupted by such attacks. The Ascension attack locked its employees out of the healthcare provider’s computer databases, rendering medical personnel unable to track and coordinate patient care. The health network’s EHR, phones, and databases used to order certain clinical laboratory tests, imaging services, procedures, and medications were all affected.
Hospital employees, including two doctors and a registered nurse, spoke anonymously to the Detroit Free Press regarding the issues at their facilities resulting from the cyberattack.
“It’s so, so dangerous,” said the nurse, describing the immediate aftermath of the cyberattack. “We are waiting four hours for head CT [computed tomography scan] results on somebody having a stroke or a brain bleed. We are just waiting. I don’t know why they haven’t at least paused the ambulances and accepting transfers because we physically … don’t have the capacity to care for them right now.”
“In some cases, what are supposed to be unique medical record numbers assigned to patients when they register in the emergency department at Ascension St. John [Detroit, Mich.] have been given to more than one patient at a time,” Detroit Free Press reported. “Because of that, the nurse told the Free Press she couldn’t be confident that a patient’s blood test results actually were his own.”
“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” Jeff Tully, MD (above), Associate Clinical Professor, Anesthesiology, and co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego, told NPR. “These types of cybersecurity incidents should be thought of as a matter of when and not if,” he added. Inability to verify clinical laboratory test results or access patients’ electronic medical records endangers patients and undermines the confidence of critical healthcare workers. (Photo copyright: UC San Diego.)
Losing Track of Patients and Their Records
According to the HIPAA Journal’sH1, 2024 Healthcare Data Breach Report, “In H1 [first half of the fiscal year], 2024, 387 data breaches of 500 or more [healthcare] records were reported to OCR, which represents an 8.4% increase from H1, 2023, and a 9.3% increase from H1, 2022.”
After the Ascension cyberattack, the healthcare organization’s computer systems were inoperable, and its pharmacy services were temporarily closed. Medical orders for clinical laboratory testing, imaging tests, and prescriptions had to be handwritten on paper and faxed to appropriate departments, which led to long wait times for patients.
There were cases where singular medical record numbers were assigned to multiple patients. Staff resorted to Google documents, paper charting, and text messaging to communicate with one another. But they still lost track of some patients.
“For a lot of our nurses, they’ve never paper charted at all,” said Connie Smith, a charge capture coordinator and head of the Wisconsin Federation of Nurses and Health Professionals, in a ThinkStack blog post. “We were using forms that we pulled out of drawers that hadn’t seen the light of day in a long, long time.”
“They are texting me to find out where the patient went,” a St. John Hospital Emergency Room physician anonymously told the Free Press immediately following the Ascension cyberattack. “They don’t even know where the patient is going or if they’ve been admitted. People are getting lost.
“The pharmacy is getting requests for patient medications, and they have no idea where the patient is in the hospital,” the doctor continued. “Some of the attending physicians are putting in orders for medications, somewhat dangerous medications, and we have no idea if the medications are actually being administered. It’s a scary thing when your medical license is tied to this. If medication mistakes become lawsuits, they will follow us throughout our entire careers and that is not fair to us. It’s not fair to patients.”
According to online updates provided by Ascension, the cyberattack began when an employee downloaded a malicious file thinking it was a legitimate document. That allowed hackers to access seven of Ascension’s 25,000 servers. The resulting cyberattack stifled operations across the organization’s facilities and among its healthcare providers for weeks.
A June 12 update read, “we are pleased to announce that electronic health record (EHR) access has been restored across our ministries. This means that clinical workflow in our hospitals and clinics will function similarly to the way it did prior to the ransomware attack.” The updates did not mention how the attack was resolved or if a ransom was paid to restore the hospitals’ systems.
Preparing for System Disruptions
According to its website, St. Louis-based Ascension has 134,000 associates, 35,000 affiliated providers, and 140 hospitals serving communities in 18 states and the District of Columbia.
“Despite the challenges posed by the recent ransomware incident, patient safety continues to be our utmost priority. Our dedicated doctors, nurses, and care teams are demonstrating incredible thoughtfulness and resilience as we utilize manual and paper based systems during the ongoing disruption to normal systems,” Ascension noted in a Michigan Cybersecurity Event Update.
Clinical laboratory managers and anatomic pathology practice administrators may want to learn from Ascension’s experience and make advanced preparations that will secure patient information and enable their lab to continue functioning during a cyberattack. The Ascension cyberattack illustrates how easily computer systems containing critical information can be hacked and affect patient care.
