Esse Health, a major healthcare provider in Missouri, reported that the personal information of over 263,000 individuals was stolen during a cyberattack in April 2025. The breach was discovered on April 21, 2025, and significantly disrupted Esse Health’s operations by impacting access to its electronic medical record system and taking down its phone system.
Details of the breach
The attackers accessed files containing names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, health information, and health insurance details. The incident forced Esse Health to operate at reduced capacity, with some appointments delayed or rescheduled. Phone systems and patient-facing network systems were only fully restored in early June.
Esse Health engaged third-party cybersecurity specialists to investigate and recover from the attack. By May 13, some systems were restored enough to resume scheduled appointments, and the phone system was back online in June. On June 20, Esse Health confirmed the data theft and began notifying affected individuals. The company is offering 12 months of free identity protection services and guidance on preventing identity theft and fraud.
As of the latest update, Esse Health stated there is no indication that the stolen information has been misused.
Background
Esse Health operates around 45–50 locations in the Greater St. Louis area, serving a large patient base. The breach has prompted concerns about the security of healthcare data, with legal and privacy experts monitoring the situation for potential class action litigation. Individuals who received a notification letter from Esse Health are advised to take advantage of the offered identity protection services and remain vigilant for signs of identity theft or fraud.
