Mid America Physician Services Data Breach 2025: 104,513 Patients of Kansas City's Largest Independent Women's Health Practice Exposed. SSNs, Financial, Health Insurance Data. Class Action Filed. What To Do.
Mid America Physician Services (MAPS) — the largest independent women's health practice in the Kansas City area, comprising Johnson County OB/GYN, Women's Care, Women's Clinic of Johnson County, and Women's Health Associates — disclosed a network intrusion that exposed names, addresses, dates of birth, Social Security numbers, financial/billing information, health insurance details, and medical treatment information for 104,513 patients. Suit filed in D. Kan. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 14, 2024
MAPS detects suspicious activity on its network; third-party cybersecurity experts engaged; law enforcement notified
Jan 13, 2025
Breach reported to HHS Office for Civil Rights (Hacking/IT Incident, Network Server, 104,513 affected)
May 8, 2025
Forensic investigation concludes; confirms PII and PHI were compromised
Jul 15, 2025
MAPS begins mailing individual notification letters and publishes Notice of Data Security Incident on its website
Jul 15, 2025
More v. Mid America Physician Services, LLC filed in U.S. District Court for the District of Kansas (No. 2:25-cv-02422)
Jul 18, 2025
Incident reported to the Texas Attorney General's office and to at least 13 additional state AGs (CA, IA, ME, MA, MT, NE, NH, OR, RI, SC, VT, WA)
Aug 29, 2025
O.S. and F.C. v. Mid America Physician Services, LLC filed in U.S. District Court for the Western District of Missouri (No. 4:25-cv-00685-RK), representing Missouri and Kansas patients; Kopelowitz Ostrow P.A. for plaintiffs, Lathrop GPM LLP for MAPS
Apr 13, 2026
W.D. Mo. court grants in part MAPS's motion to dismiss: negligence, negligence per se, invasion-of-privacy, breach-of-fiduciary-duty, and MMPA claims dismissed without prejudice; implied-contract, unjust-enrichment, and declaratory/injunctive-relief claims survive
Jun 2, 2026
W.D. Mo. court extends plaintiffs' expert-witness deadline on class-certification issues to July 16, 2026; W.D. Mo. case remains active
Nov 14, 2024
MAPS detects suspicious activity on its network; third-party cybersecurity experts engaged; law enforcement notified
Jan 13, 2025
Breach reported to HHS Office for Civil Rights (Hacking/IT Incident, Network Server, 104,513 affected)
May 8, 2025
Forensic investigation concludes; confirms PII and PHI were compromised
Jul 15, 2025
MAPS begins mailing individual notification letters and publishes Notice of Data Security Incident on its website
Jul 15, 2025
More v. Mid America Physician Services, LLC filed in U.S. District Court for the District of Kansas (No. 2:25-cv-02422)
Jul 18, 2025
Incident reported to the Texas Attorney General's office and to at least 13 additional state AGs (CA, IA, ME, MA, MT, NE, NH, OR, RI, SC, VT, WA)
Aug 29, 2025
O.S. and F.C. v. Mid America Physician Services, LLC filed in U.S. District Court for the Western District of Missouri (No. 4:25-cv-00685-RK), representing Missouri and Kansas patients; Kopelowitz Ostrow P.A. for plaintiffs, Lathrop GPM LLP for MAPS
Apr 13, 2026
W.D. Mo. court grants in part MAPS's motion to dismiss: negligence, negligence per se, invasion-of-privacy, breach-of-fiduciary-duty, and MMPA claims dismissed without prejudice; implied-contract, unjust-enrichment, and declaratory/injunctive-relief claims survive
Jun 2, 2026
W.D. Mo. court extends plaintiffs' expert-witness deadline on class-certification issues to July 16, 2026; W.D. Mo. case remains active
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Mid America Physician Services (MAPS) is the largest independent women’s health practice in the Kansas City area, operating through four divisions: Johnson County OB/GYN, Women’s Care, Women’s Clinic of Johnson County, and Women’s Health Associates. MAPS serves patients across the Kansas City metropolitan area, including patients from both Kansas and Missouri. On November 14, 2024, MAPS detected suspicious activity on its network. A months-long forensic investigation concluded on May 8, 2025, confirming that protected health information and personally identifiable information for 104,513 individuals were compromised in a Hacking/IT Incident at a Network Server. The breach was filed with HHS OCR on January 13, 2025, and individual notification letters were mailed beginning July 15, 2025. No threat actor has been publicly attributed. Two separate putative class actions are now active in federal court.
Timeline
- November 14, 2024 — MAPS detects suspicious activity on its network. Third-party cybersecurity experts are engaged. Law enforcement is notified.
- January 13, 2025 — Breach reported to HHS OCR (Hacking/IT Incident, Network Server, 104,513 affected).
- May 8, 2025 — Forensic investigation concludes; PII and PHI confirmed compromised.
- July 15, 2025 — MAPS begins mailing individual notification letters and publishes a Notice of Data Security Incident on its website. McShane & Brady files More v. Mid America Physician Services, LLC (No. 2:25-cv-02422) in the District of Kansas.
- July 18, 2025 — Incident reported to the Texas Attorney General’s office (at least 636 Texas residents affected). Separate filings submitted to at least 13 additional state AGs, including California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Vermont, and Washington.
- August 29, 2025 — A second putative class action, O.S. and F.C. v. Mid America Physician Services, LLC (No. 4:25-cv-00685-RK), is filed in the Western District of Missouri. Kopelowitz Ostrow P.A. represents the named plaintiffs; Lathrop GPM LLP represents MAPS.
- April 13, 2026 — The W.D. Mo. court grants in part and denies in part MAPS’s motion to dismiss. Negligence, negligence per se, invasion-of-privacy, breach-of-fiduciary-duty, and Missouri Merchandising Practices Act claims are dismissed without prejudice. Implied-contract, unjust-enrichment, and declaratory/injunctive-relief claims survive.
- June 2, 2026 — W.D. Mo. court extends plaintiffs’ expert-witness deadline on class-certification issues to July 16, 2026. The case remains active.
What was exposed
Per the MAPS notification and the Texas AG filing:
- Full name
- Address
- Date of birth
- Social Security number
- Health insurance information
- Billing information
- Financial / payment information
- Medical treatment information
This is a high-severity data set: SSN, financial, and clinical data combined.
What the entity is offering
MAPS established a dedicated assistance line at 833-367-8552 (Monday-Friday, 8 a.m. to 8 p.m. EST) and published a Notice of Data Security Incident on its website. The publicly available materials reviewed for this page do not specify a complimentary credit-monitoring or identity-theft-protection offering (provider or duration). If your individual notification letter includes an enrollment code, follow the instructions in the letter.
Class-action posture
Two separate federal class actions are now active:
- Filed (D. Kan.): More v. Mid America Physician Services, LLC, No. 2:25-cv-02422, U.S. District Court for the District of Kansas (filed July 15, 2025). Plaintiff represented by McShane & Brady.
- Filed (W.D. Mo.): O.S. and F.C. v. Mid America Physician Services, LLC, No. 4:25-cv-00685-RK, U.S. District Court for the Western District of Missouri (filed August 29, 2025). Plaintiffs represented by Kopelowitz Ostrow P.A. (Jeffrey M. Ostrow); MAPS represented by Lathrop GPM LLP (Kathleen Fisher Enyeart). On April 13, 2026, the court dismissed negligence, negligence per se, invasion-of-privacy, breach-of-fiduciary-duty, and MMPA claims without prejudice, but allowed implied-contract, unjust-enrichment, and declaratory/injunctive-relief claims to proceed. Expert-witness disclosures on class certification are due July 16, 2026.
- Investigating: Strauss Borrelli and Siri & Glimstad have each announced public investigations and are soliciting affected individuals.
The combination of SSN exposure, financial and insurance data, and a women’s-health clinical record set attracted litigation in two jurisdictions. The surviving claims in the W.D. Mo. case center on an implied contractual duty to safeguard patient information.
What to do
- Place free credit freezes at Equifax, Experian, and TransUnion.
- File IRS Form 14039 (Identity Theft Affidavit) if your letter confirms SSN exposure.
- Review your health insurance Explanation of Benefits statements for services you did not receive — medical-identity-theft is the highest-leverage abuse path here.
- Read your notification letter for any credit-monitoring enrollment code and enroll if offered. If MAPS’ letter to you offers nothing, consider purchasing your own monitoring.
- Stop the ongoing flow of your reproductive-health and treatment data. HealthConsent files HIPAA restriction requests so the data exposed in this breach is not continuously re-shared with new downstream parties.
Sources
- HHS OCR Breach Portal — federal regulatory record (Hacking/IT Incident, Network Server, 104,513 affected, submitted 2025-01-13).
- MAPS Notice of Data Security Incident (PDF, via ClassAction.org) — entity’s own substitute notice.
- More v. Mid America Physician Services, LLC — D. Kan. docket (Justia) — class-action filing.
- McShane & Brady: Suit Filed Against Mid America Physician Services — filing-firm announcement detailing data elements (“name, address, DOB, health insurance information, SSN, billing information, and financial payment information”).
- HIPAA Journal coverage — trade-press timeline (detection 2024-11-14, investigation complete 2025-05-08, notice 2025-07-15).
- Strauss Borrelli investigation announcement.
- Siri & Glimstad investigation announcement.
- ClassAction.org: MAPS Data Breach Lawsuit Investigation.
- O.S. and F.C. v. Mid America Physician Services, LLC — W.D. Mo. docket (PACERMonitor) — second class action; April 13, 2026 partial dismissal order; case ongoing.
- O.S. and F.C. v. Mid America Physician Services, LLC — W.D. Mo. docket (CourtListener).
- ClaimDepot: Mid America Physician Services Data Breach — multi-state AG filing confirmation (CA, IA, ME, MA, MT, NE, NH, OR, RI, SC, TX, VT, WA).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- MAPS Notice of Data Security Incident (PDF, via ClassAction.org)
- More v. Mid America Physician Services, LLC — D. Kan. Docket (Justia)
- McShane & Brady: Suit Filed Against Mid America Physician Services
- HIPAA Journal coverage
- Strauss Borrelli Investigation
- Siri & Glimstad Investigation
- ClassAction.org: MAPS Data Breach Lawsuit Investigation
- O.S. and F.C. v. Mid America Physician Services — W.D. Mo. Docket (PACERMonitor)
- O.S. and F.C. v. Mid America Physician Services — W.D. Mo. Docket (CourtListener)
- ClaimDepot: Mid America Physician Services Data Breach (multi-state AG filing confirmation)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.