Esse Health Data Breach 2025: 263,601 Patients Hit in April Cyberattack · $2.53M Class-Action Settlement Reached
Esse Health, a St. Louis-area independent physician group, detected a network intrusion on April 21, 2025 that took its phone systems and patient-facing services offline. The entity ultimately notified 263,601 individuals; a consolidated class action covering an estimated 521,167 people settled for $2,525,000 with final approval set for August 3, 2026. The matching HHS OCR portal entry was filed June 20, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 21, 2025
Cybercriminal accesses Esse Health network; phone system and patient-facing systems taken offline the same day
Apr 21, 2025
Esse Health detects the intrusion and begins incident response
May 13, 2025
Esse Health restores enough capacity to resume scheduled appointments and procedures
Jun 2, 2025
Phone systems and primary patient-facing systems restored; patients can again reach the practice via text, phone, and patient portal
Jun 20, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (Hacking/IT Incident, Network Server) — OCR portal entry lists 23,671 affected
Jul 1, 2025
Individual notification letters sent to affected patients; free IDX identity protection offered with enrollment deadline of September 25, 2025
Jul 1, 2025
Multiple class-action complaints filed in U.S. District Court for the Eastern District of Missouri and consolidated into the 22nd Judicial Circuit Court of St. Louis City as Clausner et al. v. American Multispecialty Group
Aug 3, 2026
Final approval hearing scheduled for the $2,525,000 class-action settlement (claim deadline August 4, 2026; objection/exclusion deadline July 5, 2026)
Apr 21, 2025
Cybercriminal accesses Esse Health network; phone system and patient-facing systems taken offline the same day
Apr 21, 2025
Esse Health detects the intrusion and begins incident response
May 13, 2025
Esse Health restores enough capacity to resume scheduled appointments and procedures
Jun 2, 2025
Phone systems and primary patient-facing systems restored; patients can again reach the practice via text, phone, and patient portal
Jun 20, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (Hacking/IT Incident, Network Server) — OCR portal entry lists 23,671 affected
Jul 1, 2025
Individual notification letters sent to affected patients; free IDX identity protection offered with enrollment deadline of September 25, 2025
Jul 1, 2025
Multiple class-action complaints filed in U.S. District Court for the Eastern District of Missouri and consolidated into the 22nd Judicial Circuit Court of St. Louis City as Clausner et al. v. American Multispecialty Group
Aug 3, 2026
Final approval hearing scheduled for the $2,525,000 class-action settlement (claim deadline August 4, 2026; objection/exclusion deadline July 5, 2026)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Esse Health, the operating name of American Multispecialty Group, Inc., is an independent physician group with roughly 100 doctors across about 45-50 locations in the greater St. Louis area. On April 21, 2025, a cybercriminal gained access to its network, taking down patient-facing services and the practice’s phone system the same day. Restoration stretched into early June, a timeline consistent with ransomware-style encryption, though no extortion group has publicly claimed responsibility. The company ultimately notified 263,601 individuals, while the consolidated class-action complaint covers an estimated 521,167 people. A $2,525,000 settlement has been preliminarily approved, with a final fairness hearing set for August 3, 2026. The HHS OCR portal lists this matter under a separate, smaller entry (23,671 affected, filed June 20, 2025); patients should treat the entity’s own notice — not the OCR row — as the operative number.
Timeline
- April 21, 2025 — Network intrusion begins and is detected the same day. Esse Health takes its phone systems and primary patient-facing systems offline.
- May 13, 2025 — Enough capacity is restored for the practice to resume scheduled appointments and procedures.
- June 2, 2025 — Phone systems and patient-facing channels are fully restored; patients can again reach the practice by text, phone, and patient portal.
- June 20, 2025 — HIPAA breach notification filed with HHS OCR: Hacking/IT Incident at Network Server, 23,671 affected on the OCR row.
- On or about July 1, 2025 — Individual notification letters mailed. Esse Health offers free identity protection through IDX with an enrollment deadline of September 25, 2025.
- July 2025 — Multiple putative class actions filed in the U.S. District Court for the Eastern District of Missouri and consolidated in the 22nd Judicial Circuit Court of St. Louis City as Clausner et al. v. American Multispecialty Group.
- August 3, 2026 — Final approval hearing for the $2,525,000 settlement. Claim deadline is August 4, 2026; objection and exclusion deadline is July 5, 2026.
What was exposed
Esse Health’s own breach notice describes the following categories of patient information as having been viewed or copied by the attacker:
- Names, addresses, dates of birth
- Health insurance information
- Medical record numbers and patient account numbers
- Certain health/treatment information
Esse Health states that Social Security numbers were not involved and that its NextGen electronic medical record system was not accessed. The plaintiff complaint in the consolidated class action alleges a broader set, including Social Security numbers, for at least some class members. If your individual notification letter lists an SSN among the exposed elements, treat that letter as authoritative for your record.
What Esse Health is offering
- Two years of identity protection through IDX, free of charge, with an enrollment deadline of September 25, 2025.
- Under the proposed class-action settlement, class members are additionally entitled to a pro rata cash payment estimated at approximately $50 per claimant, two years of medical identity protection services, and a $1 million medical identity theft insurance policy (funded separately by Esse Health).
If you received a notification letter, the IDX enrollment code in that letter is single-use and tied to your record; keep the letter.
Class-action status
Several individual complaints filed in the U.S. District Court for the Eastern District of Missouri were consolidated in the 22nd Judicial Circuit Court of St. Louis City, Missouri, as Clausner et al. v. American Multispecialty Group. The settlement provides a $2,525,000 non-reversionary fund, plus the medical identity theft insurance policy and identity protection services described above. Key dates:
- July 5, 2026 — deadline to object to or exclude yourself from the settlement.
- August 3, 2026 — final approval hearing.
- August 4, 2026 — deadline to file a claim.
Multiple plaintiff firms (Lynch Carpenter, Schubert Jonckheer & Kolbe, Migliaccio & Rathod, Almeida Law Group, The Lyon Firm, Arnold Law Firm) publicly opened investigations and are still accepting affected patients; if you have not yet filed a claim and you received a notification letter, you remain eligible.
What to do if you may be affected
- Enroll in the free IDX identity protection using the code in your notification letter. There is no cost and no downside.
- File a claim in the settlement before August 4, 2026 if you received a notice. Proof of receipt is the simplest path; keep your notice letter and the envelope it arrived in.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free and is the single highest-leverage step against new-account identity theft, regardless of whether Esse Health’s notice listed an SSN for your record.
- Watch for medical-identity-theft signals: explanation-of-benefits statements for care you did not receive, unexpected collections from a provider, or claim denials because your benefits appear used.
- Verify any caller claiming to be from Esse Health. Phone-based phishing tends to spike around breach notifications. Call back using the number on your patient portal or the back of your insurance card, not a number provided by an inbound caller.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (Esse Health, MO, Healthcare Provider, 23,671, 2025-06-20, Hacking/IT Incident, Network Server).
- HIPAA Journal — Esse Health Confirms Almost 264,000 Individuals Affected by April 2025 Cyberattack
- HIPAA Journal — Esse Health Agrees to Pay $2.53M to Settle Data Breach Lawsuit
- HIPAA Journal — Esse Health Cyberattack Disrupts Healthcare Services in St. Louis
- BleepingComputer — Esse Health says recent data breach affects over 263,000 patients
- SecurityWeek — 263,000 Impacted by Esse Health Data Breach
- Security Affairs — Esse Health data breach impacted 263,000 individuals
- DataBreaches.net — Cyberattack puts healthcare on hold for hundreds in St. Louis metro
- ClaimDepot — Esse Health settles data breach class action lawsuit for $2.53 million
- Lynch Carpenter — Investigates Claims in Esse Health Data Breach (GlobeNewswire)
- PRNewswire — PRIVACY ALERT: Esse Health Under Investigation for Data Breach of Over 263,000 Patient Records
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Esse Health Confirms Almost 264,000 Individuals Affected by April 2025 Cyberattack
- HIPAA Journal — Esse Health Agrees to Pay $2.53M to Settle Data Breach Lawsuit
- HIPAA Journal — Esse Health Cyberattack Disrupts Healthcare Services in St. Louis
- BleepingComputer — Esse Health says recent data breach affects over 263,000 patients
- SecurityWeek — 263,000 Impacted by Esse Health Data Breach
- Security Affairs — Esse Health data breach impacted 263,000 individuals
- DataBreaches.net — Cyberattack puts healthcare on hold for hundreds in St. Louis metro
- ClaimDepot — Esse Health settles data breach class action lawsuit for $2.53 million
- Lynch Carpenter — Investigates Claims in Esse Health Data Breach (GlobeNewswire)
- PRNewswire — PRIVACY ALERT: Esse Health Under Investigation for Data Breach of Over 263,000 Patient Records
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.