Esse Health says recent data breach affects over 263,000 patients

Esse Health, a healthcare provider based in St. Louis, Missouri, is notifying over 263,000 patients that their personal and health information was stolen in an April cyberattack.

As the largest independent physicians’ group in the Greater St. Louis area, Esse Health operates 50 locations and employs over 100 physicians.

The organization was made aware of a breach after the attackers took down some primary patient-facing network systems and its phone systems on April 21.

Impacted systems were brought back online until June 2, when Esse Health updated a notification on its website to inform patients they could again reach out via all regular channels, including text messages, phone calls, and the patient portal.

“Based on the investigation, a cybercriminal gained access to our network on April 21, 2025. While in our network, the cybercriminal was able to view and copy certain files,” Esse Health privacy officer Jaime L. Bremerkamp says in breach notification letters sent to 263,601 affected individuals.

“As part of our investigation, we conducted a time-intensive review of the files involved to determine the types of data present and to whom it related. This review identified that information related to you may have been contained in those files.”

According to a filing with Maine’s Attorney General on Monday, the attackers stole a wide range of sensitive data for each impacted patient, including personal information (e.g., name, address, date of birth), health insurance information, medical record number, patient account number, and some health information.

Esse Health also stated that it found no evidence of stolen social security numbers and confirmed that its NextGen electronic medical record system was not breached.

Those affected are advised to review their account statements and monitor their credit reports for suspicious activity that may be linked to identity theft and fraud attempts. Esse Health also provides them with free identity protection services through data breach and recovery services provider IDX if they enroll by September 25, 2025.

While Esse Health has yet to reveal the nature of the attack, restoration efforts spanning multiple months suggest a ransomware attack, where some of its systems were encrypted after the threat actors stole documents containing patients’ data. However, no ransomware operation has claimed responsibility for the breach since April.

An Esse Health spokesperson was not immediately available for comment when BleepingComputer reached out for more details earlier today.