Esse Health Confirms Almost 264,000 Individuals Affected by April 2025 Cyberattack
Esse Health has confirmed that 263,601 individuals have been affected by its April 2025 cyberattack. Data breaches have also been announced by Health Care and Rehabilitation Services of Southeastern Vermont, Harbor in Ohio, and Mosaic Life Care in Missouri.
Esse Health, Missouri
Esse Health, an independent physician group healthcare provider with 50 locations in the Greater St. Louis area in Missouri, has recently notified the Maine Attorney General about an April 2025 cyberattack and data breach involving unauthorized access to the personal information of 263,601* individuals, although the breach report submitted to the HHS’ Office for Civil Rights suggests that the total only includes the protected health information of 23,671 patients.
Esse Health had previously publicly announced the cyberattack, which prevented access to its electronic medical record system, resulting in appointments being cancelled. At the time of the announcement, the investigation and file review were ongoing, so it was unclear how many individuals had been affected.
Esse Health has confirmed that the cyberattack was detected on April 21, 2025, and that the investigation has confirmed that files containing patient data were exfiltrated from its network. The file review has now been completed, and it has been confirmed that the data compromised in the incident included names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and certain health information. No evidence was found to indicate Social Security numbers were compromised in the incident, and its NextGen electronic medical record system was not subject to unauthorized access.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Additional security enhancements have been implemented to further strengthen its cybersecurity defenses, and credit monitoring and identity theft protection services have been offered to the affected individuals.
* The Maine Attorney General’s website still lists the data breach as affecting 263,601 individuals; however, the lawsuit filed in response to the data breach states that 521,167 individuals were affected. The lawsuit has recently been settled for $2,525,000.
Health Care and Rehabilitation Services of Southeastern Vermont
Health Care and Rehabilitation Services of Southeastern Vermont (HCRS) has started issuing notifications about a December 2024 data security incident involving unauthorized access to its email environment. The unauthorized access was detected on December 20, 2024, and an investigation was launched with assistance provided by third-party cybersecurity specialists.
The investigation and data review confirmed there had been unauthorized access to certain email accounts, which contained sensitive patient data. On May 12, 2025, it was confirmed that the unauthorized access occurred between December 4, 2024, and December 9, 2024. Files and emails subjected to unauthorized access contained first and last names, dates of birth, Social Security numbers, financial account numbers, dates of service/treatment, health insurance information, medical histories, driver’s license numbers, patient numbers, MRNs, healthcare billing information, and medical treatment information.
HCRS said it will continue to review and update its security practices, policies, and procedures to protect sensitive patient data. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Mosaic Life Care, Missouri
Mosaic Life Care, a Mayo Clinic Care Network Member serving patients in Missouri, Kansas, and Iowa, has recently announced that it has been affected by a data breach at its vendor, Oracle Health (formerly Cerner). Mosaic Life Care was contacted by an unknown third party who claimed they were in possession of patient information. That individual’s claims were verified on April 29, 2025, and on May 2, 2025, the source of the data was confirmed to be Oracle Health. Mosaic Life Care notified Oracle Health about the breach, which occurred as early as January 22, 2025.
Oracle Health was in the process of migrating data from legacy Cerner systems to the Oracle Health platform when a hacker gained access to two legacy Cerner servers using compromised credentials. Oracle Health provided Mosaic Life Care with a full list of the affected individuals on June 6, 2025. Several other Oracle Health clients were also affected by the data breach.
Mosaic Life Care has confirmed that the breach was limited to the two Oracle Health servers and that its own systems were unaffected. The data compromised in the incident included Social Security numbers, driver’s license numbers, dates of birth, treating physicians, dates of service, medication information, insurance information, and treatment or diagnostic information. Mosaic Life Care is offering complimentary identity monitoring services to the affected patients. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Harbor, Ohio
Harbor, an Ohio-based provider of mental health and substance use disorder treatment services, has notified 2,703 individuals that some of their protected health information was exposed and potentially stolen in an April 2025 email security breach. Suspicious activity was identified in an employee’s email account on April 23, 2025, and the forensic investigation confirmed that the account had been accessed by an unauthorized third party between April 23 and April 24, 2025.
The email account review confirmed that the account contained patient names, addresses, dates of birth, Social Security numbers, driver’s license numbers, other state identification numbers, medical diagnosis and treatment information, clinical information, financial account information, and health insurance information. Individuals affected by the data breach are encouraged to be vigilant against identity theft and fraud.
