Active breach tracker St. Louis, Missouri Disclosed June 20, 2025

Esse Health Data Breach 2025: 263,601 Patients Hit in April Cyberattack · $2.53M Class-Action Settlement Reached

Esse Health, a St. Louis-area independent physician group, detected a network intrusion on April 21, 2025 that took its phone systems and patient-facing services offline. The entity ultimately notified 263,601 individuals; a consolidated class action covering an estimated 521,167 people settled for $2,525,000 with final approval set for August 3, 2026. The matching HHS OCR portal entry was filed June 20, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 21, 2025

Cybercriminal accesses Esse Health network; phone system and patient-facing systems taken offline the same day

Apr 21, 2025

Esse Health detects the intrusion and begins incident response

May 13, 2025

Esse Health restores enough capacity to resume scheduled appointments and procedures

Jun 2, 2025

Phone systems and primary patient-facing systems restored; patients can again reach the practice via text, phone, and patient portal

Jun 20, 2025

HIPAA breach notification filed with HHS Office for Civil Rights (Hacking/IT Incident, Network Server) — OCR portal entry lists 23,671 affected

Jul 1, 2025

Individual notification letters sent to affected patients; free IDX identity protection offered with enrollment deadline of September 25, 2025

Jul 1, 2025

Multiple class-action complaints filed in U.S. District Court for the Eastern District of Missouri and consolidated into the 22nd Judicial Circuit Court of St. Louis City as Clausner et al. v. American Multispecialty Group

Aug 3, 2026

Final approval hearing scheduled for the $2,525,000 class-action settlement (claim deadline August 4, 2026; objection/exclusion deadline July 5, 2026)

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers (disputed — Esse Health's notice states SSNs were not involved; the class-action complaint alleges SSNs were exposed)

02

Health records

Don't expire and can't be reissued

Medical record numbers and patient account numbers Certain health/treatment information

03

Contact & insurance

Phishing + targeted scams

Names, addresses, dates of birth Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter LLP — investigating and signing affected patients Schubert Jonckheer & Kolbe LLP — investigating Migliaccio & Rathod LLP — investigating Almeida Law Group LLC — investigating The Lyon Firm — investigating Arnold Law Firm — investigating
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Esse Health, the operating name of American Multispecialty Group, Inc., is an independent physician group with roughly 100 doctors across about 45-50 locations in the greater St. Louis area. On April 21, 2025, a cybercriminal gained access to its network, taking down patient-facing services and the practice’s phone system the same day. Restoration stretched into early June, a timeline consistent with ransomware-style encryption, though no extortion group has publicly claimed responsibility. The company ultimately notified 263,601 individuals, while the consolidated class-action complaint covers an estimated 521,167 people. A $2,525,000 settlement has been preliminarily approved, with a final fairness hearing set for August 3, 2026. The HHS OCR portal lists this matter under a separate, smaller entry (23,671 affected, filed June 20, 2025); patients should treat the entity’s own notice — not the OCR row — as the operative number.

Timeline

  • April 21, 2025 — Network intrusion begins and is detected the same day. Esse Health takes its phone systems and primary patient-facing systems offline.
  • May 13, 2025 — Enough capacity is restored for the practice to resume scheduled appointments and procedures.
  • June 2, 2025 — Phone systems and patient-facing channels are fully restored; patients can again reach the practice by text, phone, and patient portal.
  • June 20, 2025 — HIPAA breach notification filed with HHS OCR: Hacking/IT Incident at Network Server, 23,671 affected on the OCR row.
  • On or about July 1, 2025 — Individual notification letters mailed. Esse Health offers free identity protection through IDX with an enrollment deadline of September 25, 2025.
  • July 2025 — Multiple putative class actions filed in the U.S. District Court for the Eastern District of Missouri and consolidated in the 22nd Judicial Circuit Court of St. Louis City as Clausner et al. v. American Multispecialty Group.
  • August 3, 2026 — Final approval hearing for the $2,525,000 settlement. Claim deadline is August 4, 2026; objection and exclusion deadline is July 5, 2026.

What was exposed

Esse Health’s own breach notice describes the following categories of patient information as having been viewed or copied by the attacker:

  • Names, addresses, dates of birth
  • Health insurance information
  • Medical record numbers and patient account numbers
  • Certain health/treatment information

Esse Health states that Social Security numbers were not involved and that its NextGen electronic medical record system was not accessed. The plaintiff complaint in the consolidated class action alleges a broader set, including Social Security numbers, for at least some class members. If your individual notification letter lists an SSN among the exposed elements, treat that letter as authoritative for your record.

What Esse Health is offering

  • Two years of identity protection through IDX, free of charge, with an enrollment deadline of September 25, 2025.
  • Under the proposed class-action settlement, class members are additionally entitled to a pro rata cash payment estimated at approximately $50 per claimant, two years of medical identity protection services, and a $1 million medical identity theft insurance policy (funded separately by Esse Health).

If you received a notification letter, the IDX enrollment code in that letter is single-use and tied to your record; keep the letter.

Class-action status

Several individual complaints filed in the U.S. District Court for the Eastern District of Missouri were consolidated in the 22nd Judicial Circuit Court of St. Louis City, Missouri, as Clausner et al. v. American Multispecialty Group. The settlement provides a $2,525,000 non-reversionary fund, plus the medical identity theft insurance policy and identity protection services described above. Key dates:

  • July 5, 2026 — deadline to object to or exclude yourself from the settlement.
  • August 3, 2026 — final approval hearing.
  • August 4, 2026 — deadline to file a claim.

Multiple plaintiff firms (Lynch Carpenter, Schubert Jonckheer & Kolbe, Migliaccio & Rathod, Almeida Law Group, The Lyon Firm, Arnold Law Firm) publicly opened investigations and are still accepting affected patients; if you have not yet filed a claim and you received a notification letter, you remain eligible.

What to do if you may be affected

  • Enroll in the free IDX identity protection using the code in your notification letter. There is no cost and no downside.
  • File a claim in the settlement before August 4, 2026 if you received a notice. Proof of receipt is the simplest path; keep your notice letter and the envelope it arrived in.
  • Freeze your credit with Equifax, Experian, and TransUnion. It is free and is the single highest-leverage step against new-account identity theft, regardless of whether Esse Health’s notice listed an SSN for your record.
  • Watch for medical-identity-theft signals: explanation-of-benefits statements for care you did not receive, unexpected collections from a provider, or claim denials because your benefits appear used.
  • Verify any caller claiming to be from Esse Health. Phone-based phishing tends to spike around breach notifications. Call back using the number on your patient portal or the back of your insurance card, not a number provided by an inbound caller.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.