Healthcare provider Esse Health is notifying more than a quarter million patients of a data breach after a significant cyberattack disrupted its systems in April 2025.
Network Compromise Discovered After System Outages in April
Esse Health, the largest independent physicians’ group in the Greater St. Louis area, has disclosed a cyberattack that compromised the personal and health information of 263,601 patients. The breach was detected after several patient-facing systems, including phones and digital portals, went offline on April 21, 2025.
The organization, which operates 50 medical offices and employs over 100 physicians, spent over a month restoring its systems. Normal communications—including phone, text, and patient portal access—were only fully restored by June 2, 2025, according to an update posted on its website.
“Based on the investigation, a cybercriminal gained access to our network on April 21, 2025. While in our network, the cybercriminal was able to view and copy certain files,” said Jaime L. Bremerkamp, Esse Health’s privacy officer.
Data Exfiltration Included Medical Records, But Not SSNs
In a filing with the Maine Attorney General, Esse Health confirmed the attack led to the theft of sensitive patient data. The types of information compromised vary by individual, but generally include:
- Full names
- Addresses
- Dates of birth
- Health insurance details
- Medical record numbers
- Patient account numbers
- Some health information
However, the company stated there is no evidence that social security numbers were involved, and the NextGen electronic medical record system—which houses core clinical data—was not breached.
The nature of the attack has not been publicly confirmed, but the extended recovery time and offline services suggest ransomware may have been involved. No known ransomware group has claimed responsibility to date.
Identity Monitoring Services and Precautionary Advice
Esse Health is offering affected individuals free identity protection services through IDX, a data breach recovery provider. Enrollments must be completed by September 25, 2025. Patients are also advised to remain alert for suspicious account activity, review financial statements, and consider monitoring their credit reports.
As of now, no further comment has been provided by Esse Health representatives regarding how the attackers gained access or how many systems were encrypted.
Healthcare Providers Remain High-Value Targets for Cybercriminals
This incident highlights the ongoing cyber risks faced by healthcare providers, especially those with large, distributed operations. Protected health information (PHI) remains a prime target due to its high value on dark web markets. Attacks involving data theft and potential encryption can cripple patient services, delay care, and trigger extensive compliance obligations.
For providers, the ability to recover securely after an attack is as critical as the initial containment. Maintaining immutable, air-gapped backups can ensure continuity of care—even during system-wide outages.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
