factually

Missouri health care data breaches

Checked on December 9, 2025
Disclaimer: Factually can make mistakes. Please verify important information or breaking news. Learn more.
Missouri Attorney General
Missouri Independent
TechTarget
BreachSpot
Searched for:
"Missouri healthcare data breaches December 2025"
Found 15 sources

Executive summary

Missouri health care organizations have been among dozens nationally affected by large breaches in 2024–25, including vendor incidents tied to Oracle Health/Cerner that prompted notices from Mosaic Life Care and others; Oracle has reportedly told attorneys that as many as 80 hospitals’ patient records may have been involved [1] [2]. Missouri law requires breach notices “without unreasonable delay” under RSMo §407.1500, and federal HIPAA breach rules also apply to healthcare entities and business associates [3] [4].

1. What happened: vendor breaches ripple through Missouri care providers

Several Missouri providers — including Mosaic Life Care and NKC Health — notified patients after a large breach originating at Oracle Health (formerly Cerner) that was first exploited in January and linked to data exfiltration; some patients only learned of the compromise many months later when their local provider sent notice [1] [2] [5]. Reporting by The Beacon and the Missouri Independent and vendor confirmations cited by HIPAA Journal show Oracle’s incident led multiple hospitals to alert patients about exposed records [1] [2] [6].

2. Scale and uncertainty: plaintiffs’ estimate vs. corporate silence

Attorneys representing victims in a federal class action say Oracle’s lawyers told them roughly 80 hospitals’ patient records may have been involved, and a plaintiff’s lawyer estimates “millions” of patient records could be exposed; Oracle has not publicly disclosed a complete count and has not commented publicly in some reporting, leaving scale and scope unresolved [2] [1]. Available sources do not give a definitive statewide tally for Missouri beyond specific providers that filed notices [1] [2].

3. How breached data looks: types of information exposed

In similar vendor incidents affecting Missouri providers, investigators found files potentially containing names, dates of birth, Social Security numbers, medical histories, insurance and billing information, and other identifiers — the categories that heighten risk of identity theft and fraud — as described in breach reviews tied to other healthcare incidents referenced in reporting [6] [7]. Sources show breached files included typical protected health information that HIPAA guards but do not provide a uniform list for every affected Missouri facility [6] [7].

4. Legal landscape for Missouri victims and organizations

Missouri statute requires entities that own or license Missouri residents’ personal information to notify affected consumers of security breaches “without unreasonable delay,” and it obliges third parties maintaining such records to notify the owner or licensee immediately after discovery (RSMo §407.1500) [3]. Healthcare breaches are also regulated federally by HIPAA’s Breach Notification Rule, meaning covered entities and business associates must follow both sets of obligations when protected health information is involved [4] [3].

5. Litigation and enforcement already underway

Plaintiffs’ lawyers have filed a federal class action in the Western District of Missouri and allege massive exposure; one attorney’s estimate and assertions about Oracle’s communications to counsel appear in reporting, underscoring that litigation may be a primary channel for victims to seek remediation while enforcement or detailed disclosures remain incomplete [2] [1]. Separate Missouri cases tied to other practices — for example BJC Health’s settlement over third‑party web trackers — show civil remedies and large settlements are possible where consumer data was shared without consent [8].

6. Practical risks and remedies for Missourians

Notices tied to vendor breaches typically inform people about the types of information at risk and often offer credit monitoring; in past incidents affecting Missouri patients, organizations offered identity protection and insurance reimbursements as mitigation measures [6] [9]. Consumers who received notices should follow the Attorney General’s checklist and consider credit freezes, monitoring, and reporting suspicious activity; the Missouri AGO provides guidance for next steps after receiving a breach notice [10] [3].

7. Broader context: healthcare breaches are rising and complex

Industry data show healthcare remained a top target in 2025, with hundreds of large breaches reported and tens of millions of breached records in early‑year totals; the sector’s growing reliance on third‑party vendors and large electronic record systems amplifies systemic risk and complicates timely disclosure [9] [11]. Experts in the cited coverage say large technology vendors’ silence and the patchwork of notices by downstream providers illustrate structural disclosure problems in the sector [1] [2].

Limitations: reporting in these sources is partial — Oracle’s public disclosures are limited and available coverage focuses on specific providers and lawsuits, not a comprehensive Missouri statewide inventory. Available sources do not mention a complete list of Missouri hospitals affected or a final count of individual records statewide; those figures remain subject to further vendor or regulator disclosure [1] [2] [3].

Want to dive deeper?
How many Missouri healthcare data breaches occurred in 2024 and 2025 and which providers were affected?
What types of patient information were exposed in recent Missouri healthcare data breaches?
How are Missouri state laws regulating breach notification and penalties for healthcare data incidents?
What cybersecurity measures are Missouri hospitals and clinics adopting after recent breaches?
Have Missouri patients filed class-action lawsuits or received identity protection services following healthcare data breaches?
About
Blog
Contact
FAQ
Terms
Privacy
Manage data