Full Report
Esse Health, a healthcare provider based in St. Louis, Missouri, is notifying over 263,000 patients that their personal and health information was stolen in an April cyberattack. [...]
Analysis Summary
# Incident Report: Esse Health Data Breach Affecting 263,000 Patients
## Executive Summary
Esse Health suffered a significant data breach impacting over 263,000 patients, resulting in the exfiltration of sensitive personal and health-related information. While the exact attack vector is unconfirmed, the multi-month restoration efforts strongly suggest a ransomware attack where data was stolen prior to encryption. Esse Health is providing identity protection services to affected individuals.
## Incident Details
- Discovery Date: Not explicitly stated, but notification/disclosure occurred recently.
- Incident Date: Not explicitly stated, but restoration efforts spanned multiple months, suggesting a prolonged incident period.
- Affected Organization: Esse Health
- Sector: Healthcare
- Geography: Not explicitly stated in the provided text.
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Unknown
- Details: The specific initial access vector was not revealed by Esse Health.
### Lateral Movement
- Details: Unknown. The scope suggests internal network activity beyond the initial entry point, given the volume of data potentially accessed and the implication of ransomware activity.
### Data Exfiltration/Impact
- Details: A wide range of sensitive data was stolen for each impacted patient, most likely occurring before or during system encryption. Data included: Name, address, date of birth, health insurance information, medical record number, and patient account number. **Note:** Evidence suggests Social Security Numbers were **not** stolen, and the NextGen EMR system was not breached.
### Detection & Response
- Details: The incident was discovered resulting in the need for multi-month system restoration. Esse Health notified Maine's Attorney General regarding the breach.
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: The threat actors successfully collected extensive patient data prior to exfiltration.
- Exfiltration: Data containing patient records was exfiltrated.
- Impact: Likely system encryption (suggested by multi-month restoration) alongside data theft (double extortion).
## Impact Assessment
- Financial: Not stated, but recovery and notification costs are expected to be significant.
- Data Breach: Data for over 263,000 patients impacted, including PII (Name, DOB, Address) and PHI/Account Data (Insurance Info, Medical Record Number, Patient Account Number).
- Operational: Significant business disruption indicated by "restoration efforts spanning multiple months."
- Reputational: Negative impact due to the exposure of sensitive patient data.
## Indicators of Compromise
- Network indicators: None provided (URLs/IPs defanged).
- File indicators: None provided.
- Behavioral indicators: Multi-month system unavailability suggesting ransomware/encryption activity.
## Response Actions
- Containment: Implied through the commencement of system restoration.
- Eradication: Implied through system restoration activities.
- Recovery: Restoration efforts spanned multiple months.
- Notification: Esse Health is notifying affected parties and relevant regulatory bodies (e.g., Maine's Attorney General).
- Mitigation efforts: Providing free identity protection services through IDX for affected individuals (enrollment deadline: September 25, 2025).
## Lessons Learned
- The incident highlights the risk of prolonged operational disruption, strongly pointing towards a potential ransomware scenario.
- Data exfiltration occurred before potential encryption, emphasizing the threat of double extortion.
- Sensitive PII and health-related data were accessible to the attackers across the compromised environment (excluding the EMR system).
## Recommendations
- Thoroughly investigate and document the initial access vector and methodology used, especially since the nature of the attack was not publicly confirmed.
- Isolate and secure the NextGen EMR system environment, as while it wasn't breached, its proximity to the compromised data presents a critical risk area.
- Enhance data access monitoring across all non-EMR platforms storing patient data to detect unusual collection/exfiltration activity earlier.
- Review backup and disaster recovery procedures to minimize the duration of operational downtime experienced during the multi-month restoration period.