How many Missouri healthcare data breaches occurred in 2024 and 2025 and which providers were affected?
Executive summary
Available reporting identifies multiple Missouri healthcare-related breaches reported to federal and industry trackers in 2024–2025, including the Change Healthcare incident that affected millions nationally and specific Missouri providers such as Mosaic Life Care (vendor incident tied to Oracle Health) and Arthur Center Community Health/East Central Missouri Behavioral Health Services; sources note Mosaic’s exposure tied to an Oracle Health event confirmed April–May 2025 and Arthur Center’s November 21, 2024, OCR report [1] [2] [3]. A comprehensive count of every Missouri healthcare breach in 2024 and 2025 is not provided in the available sources; the OCR breach portal is referenced but its state-filtered totals are not quoted here [4] [5].
1. What the sources actually document: headline incidents and affected providers
Public reporting in these search results highlights several large, widely publicized breaches that touched Missouri patients. The Change Healthcare cybersecurity incident — reported to OCR in July 2024 and ultimately acknowledged as affecting well over 100 million people nationally — is the largest single event cited and had nationwide downstream impacts [1]. Mosaic Life Care, a Missouri provider, confirmed it was affected by a data incident traced to its vendor Oracle Health (formerly Cerner); that compromise was verified by Mosaic in late April/early May 2025 [2]. Arthur Center Community Health/East Central Missouri Behavioral Health Services announced a hacking and data theft incident that was reported to OCR on November 21, 2024 [3]. TechTarget also flags a Kansas City, Missouri-based company, Southeast Series of Lockton Companies, as reporting a large OCR breach in February 2025 [5].
2. Why a single, authoritative Missouri count is not available in these sources
None of the provided articles or summaries offers a state-by-state tally of every healthcare breach in 2024–2025. The HHS OCR breach portal exists as the authoritative registry, but the search results include the portal link without a state-filtered extract or count for Missouri (available sources do not mention a complete Missouri total) [4]. Industry roundups discuss the biggest national incidents and list notable organizations but do not compile an exhaustive Missouri-only list [6] [5].
3. How these incidents differ in scope and cause
The items cited reflect different patterns: massive supply‑chain or vendor compromises with national impact (Change Healthcare and Oracle Health/Cerner-related disclosures involving Mosaic Life Care) versus provider-level breaches or hacking incidents (Arthur Center/East Central Missouri Behavioral Health Services). The national incidents explain why Missouri providers appear in breach narratives even when the root cause is a third‑party vendor [1] [2] [3].
4. What the sources say about affected data and scale
Change Healthcare’s incident generated tens to hundreds of millions of individual notices over late 2024 and into 2025, per HHS updates [1]. Mosaic Life Care’s vendor-linked exposure prompted confirmation in spring 2025 but the Mosaic article cites counts of affected individuals at other providers in that roundup rather than a Missouri-specific total [2]. Arthur Center’s file review completed in March 2025 and the OCR report filed November 21, 2024, stated up to 20,000 individuals could have been involved in that particular incident [3].
5. Competing perspectives and implicit agendas in the reporting
Industry outlets (HIPAA Journal, HIPAA Guide, TechTarget) focus on scale and technical root causes to press the urgency of vendor management and encryption; their audience is largely compliance and security professionals [3] [6] [5]. Government sources like the OCR portal are the official repository but require independent querying for state slices [4]. Vendor-linked disclosures may understate or delay totals while investigations proceed; papers note multi‑month reviews and staggered notice timelines [3] [1].
6. What a reader in Missouri should do now
Because the available sources do not enumerate every Missouri healthcare breach in 2024–2025, patients concerned about exposure should watch provider notices and OCR postings for updates and use guidance from HHS on breach response (available sources do not mention specific state actions beyond notification statutes) [4] [1]. Missouri’s own breach-notification statute requires timely consumer notice but state-level aggregate reporting is not provided in these search results [7].
Limitations: These conclusions are drawn only from the supplied search results. A complete, authoritative count of Missouri healthcare breaches in 2024–2025 would require direct queries of the HHS OCR breach portal filtered for Missouri and review of all provider notices and state filings; that state‑specific total is not present in the current reporting [4].