Massive Data Breach at Esse Health Impacts 263,000 Individuals

TL;DR

In April 2025, Missouri-based healthcare provider Esse Health experienced a significant data breach affecting over 263,000 individuals. The breach exposed sensitive information, including Social Security numbers and medical data. Esse Health has taken steps to enhance security measures and offer identity protection services to those affected.

Esse Health Data Breach: Overview and Impact

In April 2025, Esse Health, a prominent healthcare provider based in Missouri, suffered a severe cyberattack that resulted in the theft of personal data from over 263,000 individuals. The breach disrupted the organization’s systems and exposed sensitive information, including names, Social Security numbers, and medical records.

Background on Esse Health

Esse Health is an independent physician group operating in the Greater St. Louis area. Established in 1996 through the merger of two physician-led organizations, it has grown to include over 100 doctors across 45–50 locations. The group offers a wide range of services, including adult and pediatric primary care, as well as specialties such as allergy, gastroenterology, radiology, and urology.

Details of the Cyberattack

The cyberattack was discovered on April 21, 2025, when suspicious activity was identified within the Esse Health network. An investigation, assisted by external cybersecurity and forensic specialists, revealed that a cybercriminal had gained access to the network on the same day. The investigation confirmed that the attacker was able to view and copy certain files containing sensitive information.

“On April 21, 2025, suspicious activity was identified within the Esse Health network. We initiated an investigation with the assistance of external cybersecurity and forensic specialists. We took steps to secure our systems and notified law enforcement. Based on the investigation, a cybercriminal gained access to our network on April 21, 2025.” reads the data breach notice published by the company. “While in our network, the cybercriminal was able to view and copy certain files. As part of our investigation, we conducted a time-intensive review of the files involved to determine the types of data present and to whom it related.”

Scope of the Data Breach

The stolen data included:

• Names
• Social Security numbers
• Medical information
• Insurance information

According to the data breach notification shared with the Maine Attorney General’s Office, the data breach impacted 263,601 individuals.

Response and Mitigation Measures

Esse Health confirmed that the electronic medical record system was not accessed or copied. The organization is now notifying affected individuals by mail following an internal investigation. Authorities have also been informed about the incident.

To prevent similar incidents in the future, Esse Health has enhanced its security measures. Although no misuse of data has been found, the company is offering free identity protection services to affected individuals as a precaution.

“As a precaution, it is always good practice to remain vigilant against incidents of identity theft and fraud by reviewing account statements and monitoring free credit reports for suspicious activity and to detect errors.” concludes the notice. “Under federal law, you also are entitled every 12 months to one free copy of your credit report from each of the three major credit reporting companies listed below, whether or not you suspect any authorized activity on your account.”

Potential Cause of the Attack

Esse Health has not provided specific details about the nature of the attack, but the widespread system disruption suggests a possible ransomware incident.

Additional Resources

For further insights, check:

• Esse Health Data Breach Notice
• Maine Attorney General’s Office Notification
• Security Affairs Article

References