Esse Health has notified the Maine Attorney General’s Office that 263,601 people were affected by an incident they first disclosed in early May.
Esse has 45 locations in and around the St. Louis metropolitan area. According to their notices and update of June 20, 2025, Esse first became aware of unusual activity on its system on April 21, 2025. It subsequently confirmed that an unauthorized individual accessed and exfiltrated data.
Media coverage in May indicated that this was a ransomware attack, but Esse’s website update of June 20 made no mention of whether there was any encryption of their files. They may have been unable to access their patient records because they took their system offline while they were securing it and investigating the attack.
According to their notice, the data involved varied by individual but may have included information such as name, address, date of birth, health insurance information, medical record number, patient account number, and certain health information.
There was no indication that social security numbers were involved. Nor was there any indication as of their last update that any of the involved information had been misused.
No threat actor group appears to have ever claimed responsibility for the attack, which raises questions as to whether there ever was a demand, and if so, was it paid. DataBreaches emailed Esse Health to ask whether there had been any encryption, whether there had been any ransom demand, and if so, who signed the demand. DataBreaches also asked why the PHI of more than 263,000 patients hadn’t been encrypted if it was connected to the internet, and whether it was old data or current data, or both. No reply was available by publication, but this post will be updated if a reply is received.