Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit – The HIPAA Journal
Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit The HIPAA Journal
Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit
American Multispecialty Group, doing business as Esse Health, a Missouri-based independent physician group serving the greater St. Louis area, experienced a cyberattack and data breach in April 2025. Esse Health faced multiple class action lawsuits in response to the data breach, and the consolidated class action lawsuit has recently been settled. Esse Health has agreed to pay $2,525,000 to resolve the lawsuit.
The cyberattack was detected by Esse Health on April 21, 2025, and the forensic investigation confirmed that the hackers obtained sensitive data such as names, addresses, birth dates, health information, and health insurance information. Around 5,000 individuals also had their Social Security numbers compromised in the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the electronic protected health information of 23,671 patients; however, the data breach was much more extensive. The Maine Attorney General was informed that the breach affected 263,601 individuals. The lawsuit states that approximately 521,167 individuals were affected.
The data breach was first announced by Esse Health on May 15, 2025, and shortly thereafter, a class action lawsuit was filed by Plaintiff Casten Clausner in the U.S. District Court for the Eastern District of Missouri. A further seven plaintiffs filed similar actions in state court in St. Louis County and the City of St. Louis. All actions were consolidated in the 22nd Judicial Circuit Court of St. Louis City, Missouri, in June 2025.
The consolidated lawsuit – Clausner et al. v. American Multispecialty Group – claims that the data breach could have been prevented and was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of confidence, breach of fiduciary duty, invasion of privacy, unjust enrichment, violation of the Missouri Merchandise Practices Act, and declaratory and injunctive relief. Esse Health maintains that there was no wrongdoing and is no liability; however, following mediation, a settlement was agreed upon by all parties to avoid the costs and risks associated with continuing with the litigation.
Under the terms of the settlement, Esse Health has agreed to establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the 8 class representatives, and benefits for the class members. After costs and expenses have been deducted from the settlement fund, the remainder will be used to pay for class member benefits. While most class action lawsuit settlements allow class members to submit a claim for reimbursement of losses, this settlement only provides a pro rata cash payment, which is expected to be $50 per class member. The payments may be higher or lower depending on the number of claims received.
In addition, class members are entitled to enroll in two years of medical identity protection services, which include a $1 million medical identity theft insurance policy. The cost of the medical identity protection will be paid separately by Esse Health. The settlement has received preliminary approval from the court. The deadline for objection and exclusion from the settlement is July 5, 2026. Claims must be submitted by August 4, 2026, and the final approval hearing has been scheduled for August 3, 2026.
The post Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.
Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers – The HIPAA Journal
Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers
Ransomware groups have claimed responsibility for attacks on Advanced Family Surgery Center in Tennessee, Orem Eye Clinic in Utah, and Belmont Aesthetic & Reconstructive Plastic Surgery in Virginia/Washington D.C.
Surgery Center of Oak Ridge (Advanced Family Surgery Center)
Surgery Center of Oak Ridge, LLC, doing business as Advanced Family Surgery Center in Oak Ridge, Tennessee, has notified certain patients about a network intrusion first identified on or around November 26, 2025. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that certain parts of its network were accessed by an unauthorized third party who potentially viewed or acquired files containing patient information.
The files were reviewed and found to contain names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis information, medical record numbers, Medicare/Medicaid numbers, patient account numbers, prescription/treatment information, provider names, and Social Security numbers. Additional security measures have been implemented to prevent similar incidents in the future, and policies and procedures with respect to data security are being reviewed.
This appears to have been a ransomware attack with data theft. The Genesis ransomware group, a financially motivated threat group that has attacked many healthcare providers, claimed responsibility for the attack and added Advanced Family Surgery Center to its dark web data leak site. Genesis claims to have exfiltrated 100 GB of data in the attack, including files containing patient information.
Orem Eye Clinic
Orem Eye Clinic in Orem, Utah, has notified individuals and the HHS’ Office for Civil Rights about a cybersecurity incident involving unauthorized access to parts of its network that contained the protected health information of approximately 5,800 patients. No substitute breach notice has been added to the Orem Eye Clinic website at the time of publication of this article, so the exact details, such as the types of data involved and the nature of the incident, have yet to be confirmed. Individuals receiving a notification letter should be aware that a ransomware group called Nightspire claimed responsibility for the attack and added Orem Eye Clinic to its dark web data leak site. The group claims to have exfiltrated 1 terabyte of data in the attack.
Belmont Aesthetic & Reconstructive Plastic Surgery
Belmont Aesthetic & Reconstructive Plastic Surgery, a cosmetic and reconstructive surgery practice with locations in Washington, D.C., and Virginia, has reported a data breach to the HHS’ Office for Civil Rights that has affected 528 individuals. While there is currently no website notice, and no other information has been released about the data breach so far, this appears to have been a ransomware attack. The Insomnia ransomware group added Belmont Aesthetic & Reconstructive Plastic Surgery to its dark web data leak site in early March 2026 and threatened to publish the stolen data if the ransom was not paid.
The post Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers appeared first on The HIPAA Journal.
HIPAA—D.R.I.: Rhode Island federal… – VitalLaw.com
HIPAA—D.R.I.: Rhode Island federal... VitalLaw.com
What’s Next for the Proposed HIPAA Security Rule Overhaul? – BankInfoSecurity
What's Next for the Proposed HIPAA Security Rule Overhaul? BankInfoSecurity
What’s Next for the Proposed HIPAA Security Rule Overhaul? – GovInfoSecurity
What's Next for the Proposed HIPAA Security Rule Overhaul? GovInfoSecurity
When a Vendor Gets Breached, What Happens to Your Patient Data? – Healthcare IT Today
When a Vendor Gets Breached, What Happens to Your Patient Data? Healthcare IT Today
Verber Dental Group Notifies Patients About January Hacking Incident – The HIPAA Journal
Verber Dental Group Notifies Patients About January Hacking Incident The HIPAA Journal