Active breach tracker Kansas Disclosed January 13, 2025

Mid America Physician Services Data Breach 2025: 104,513 Patients of Kansas City's Largest Independent Women's Health Practice Exposed. SSNs, Financial, Health Insurance Data. Class Action Filed. What To Do.

Mid America Physician Services (MAPS) — the largest independent women's health practice in the Kansas City area, comprising Johnson County OB/GYN, Women's Care, Women's Clinic of Johnson County, and Women's Health Associates — disclosed a network intrusion that exposed names, addresses, dates of birth, Social Security numbers, financial/billing information, health insurance details, and medical treatment information for 104,513 patients. Suit filed in D. Kan. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 14, 2024

MAPS detects suspicious activity on its network; third-party cybersecurity experts engaged; law enforcement notified

Jan 13, 2025

Breach reported to HHS Office for Civil Rights (Hacking/IT Incident, Network Server, 104,513 affected)

May 8, 2025

Forensic investigation concludes; confirms PII and PHI were compromised

Jul 15, 2025

MAPS begins mailing individual notification letters and publishes Notice of Data Security Incident on its website

Jul 15, 2025

More v. Mid America Physician Services, LLC filed in U.S. District Court for the District of Kansas (No. 2:25-cv-02422)

Jul 18, 2025

Incident reported to the Texas Attorney General's office and to at least 13 additional state AGs (CA, IA, ME, MA, MT, NE, NH, OR, RI, SC, VT, WA)

Aug 29, 2025

O.S. and F.C. v. Mid America Physician Services, LLC filed in U.S. District Court for the Western District of Missouri (No. 4:25-cv-00685-RK), representing Missouri and Kansas patients; Kopelowitz Ostrow P.A. for plaintiffs, Lathrop GPM LLP for MAPS

Apr 13, 2026

W.D. Mo. court grants in part MAPS's motion to dismiss: negligence, negligence per se, invasion-of-privacy, breach-of-fiduciary-duty, and MMPA claims dismissed without prejudice; implied-contract, unjust-enrichment, and declaratory/injunctive-relief claims survive

Jun 2, 2026

W.D. Mo. court extends plaintiffs' expert-witness deadline on class-certification issues to July 16, 2026; W.D. Mo. case remains active

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address Health insurance information Billing information Financial / payment information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

McShane & Brady (filed suit, D. Kan.) Kopelowitz Ostrow P.A. (filed suit, W.D. Mo.) Strauss Borrelli (publicly investigating) Siri & Glimstad (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Mid America Physician Services (MAPS) is the largest independent women’s health practice in the Kansas City area, operating through four divisions: Johnson County OB/GYN, Women’s Care, Women’s Clinic of Johnson County, and Women’s Health Associates. MAPS serves patients across the Kansas City metropolitan area, including patients from both Kansas and Missouri. On November 14, 2024, MAPS detected suspicious activity on its network. A months-long forensic investigation concluded on May 8, 2025, confirming that protected health information and personally identifiable information for 104,513 individuals were compromised in a Hacking/IT Incident at a Network Server. The breach was filed with HHS OCR on January 13, 2025, and individual notification letters were mailed beginning July 15, 2025. No threat actor has been publicly attributed. Two separate putative class actions are now active in federal court.

Timeline

  • November 14, 2024 — MAPS detects suspicious activity on its network. Third-party cybersecurity experts are engaged. Law enforcement is notified.
  • January 13, 2025 — Breach reported to HHS OCR (Hacking/IT Incident, Network Server, 104,513 affected).
  • May 8, 2025 — Forensic investigation concludes; PII and PHI confirmed compromised.
  • July 15, 2025 — MAPS begins mailing individual notification letters and publishes a Notice of Data Security Incident on its website. McShane & Brady files More v. Mid America Physician Services, LLC (No. 2:25-cv-02422) in the District of Kansas.
  • July 18, 2025 — Incident reported to the Texas Attorney General’s office (at least 636 Texas residents affected). Separate filings submitted to at least 13 additional state AGs, including California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Vermont, and Washington.
  • August 29, 2025 — A second putative class action, O.S. and F.C. v. Mid America Physician Services, LLC (No. 4:25-cv-00685-RK), is filed in the Western District of Missouri. Kopelowitz Ostrow P.A. represents the named plaintiffs; Lathrop GPM LLP represents MAPS.
  • April 13, 2026 — The W.D. Mo. court grants in part and denies in part MAPS’s motion to dismiss. Negligence, negligence per se, invasion-of-privacy, breach-of-fiduciary-duty, and Missouri Merchandising Practices Act claims are dismissed without prejudice. Implied-contract, unjust-enrichment, and declaratory/injunctive-relief claims survive.
  • June 2, 2026 — W.D. Mo. court extends plaintiffs’ expert-witness deadline on class-certification issues to July 16, 2026. The case remains active.

What was exposed

Per the MAPS notification and the Texas AG filing:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Health insurance information
  • Billing information
  • Financial / payment information
  • Medical treatment information

This is a high-severity data set: SSN, financial, and clinical data combined.

What the entity is offering

MAPS established a dedicated assistance line at 833-367-8552 (Monday-Friday, 8 a.m. to 8 p.m. EST) and published a Notice of Data Security Incident on its website. The publicly available materials reviewed for this page do not specify a complimentary credit-monitoring or identity-theft-protection offering (provider or duration). If your individual notification letter includes an enrollment code, follow the instructions in the letter.

Class-action posture

Two separate federal class actions are now active:

  • Filed (D. Kan.): More v. Mid America Physician Services, LLC, No. 2:25-cv-02422, U.S. District Court for the District of Kansas (filed July 15, 2025). Plaintiff represented by McShane & Brady.
  • Filed (W.D. Mo.): O.S. and F.C. v. Mid America Physician Services, LLC, No. 4:25-cv-00685-RK, U.S. District Court for the Western District of Missouri (filed August 29, 2025). Plaintiffs represented by Kopelowitz Ostrow P.A. (Jeffrey M. Ostrow); MAPS represented by Lathrop GPM LLP (Kathleen Fisher Enyeart). On April 13, 2026, the court dismissed negligence, negligence per se, invasion-of-privacy, breach-of-fiduciary-duty, and MMPA claims without prejudice, but allowed implied-contract, unjust-enrichment, and declaratory/injunctive-relief claims to proceed. Expert-witness disclosures on class certification are due July 16, 2026.
  • Investigating: Strauss Borrelli and Siri & Glimstad have each announced public investigations and are soliciting affected individuals.

The combination of SSN exposure, financial and insurance data, and a women’s-health clinical record set attracted litigation in two jurisdictions. The surviving claims in the W.D. Mo. case center on an implied contractual duty to safeguard patient information.

What to do

  1. Place free credit freezes at Equifax, Experian, and TransUnion.
  2. File IRS Form 14039 (Identity Theft Affidavit) if your letter confirms SSN exposure.
  3. Review your health insurance Explanation of Benefits statements for services you did not receive — medical-identity-theft is the highest-leverage abuse path here.
  4. Read your notification letter for any credit-monitoring enrollment code and enroll if offered. If MAPS’ letter to you offers nothing, consider purchasing your own monitoring.
  5. Stop the ongoing flow of your reproductive-health and treatment data. HealthConsent files HIPAA restriction requests so the data exposed in this breach is not continuously re-shared with new downstream parties.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.