Greater St. Louis Oral Surgery HIPAA Breach Affects 501 Patients

Greater St. Louis Oral & Maxillofacial Surgery PC has been added to the Department of Health and Human Services (HHS) "Wall of Shame" following a significant email-based cyberattack that compromised the protected health information (PHI) of 501 patients. Reported on December 4, 2025, this incident highlights the ongoing cybersecurity challenges facing healthcare providers across the United States.

What Happened

The Missouri-based oral and maxillofacial surgery practice fell victim to a hacking incident that specifically targeted their email systems. While the exact timeline of when the breach occurred remains unclear, the practice reported the incident to HHS in December 2025, indicating the breach affected more than 500 individuals—the threshold that triggers mandatory federal reporting under HIPAA regulations.

Email-based breaches have become increasingly common in healthcare settings, as cybercriminals recognize that medical practices often use email to communicate sensitive patient information, coordinate care, and share medical records. These systems frequently contain a treasure trove of PHI, making them attractive targets for malicious actors.

The breach classification as a "Hacking/IT Incident" suggests that unauthorized individuals gained access to the practice's email infrastructure through sophisticated cyber techniques, potentially including phishing attacks, credential stuffing, or exploitation of system vulnerabilities.

Who Is Affected

The breach impacted 501 patients who received care at Greater St. Louis Oral & Maxillofacial Surgery PC. As a specialized practice focusing on oral and maxillofacial surgery, the affected individuals likely include patients who underwent various procedures such as:

• Wisdom tooth extractions
• Dental implant procedures
• Jaw surgery
• Treatment for facial trauma
• Corrective jaw surgery
• Oral pathology treatments

Patients who received care at this practice should be particularly vigilant about monitoring their personal information and watching for signs of identity theft or medical identity fraud.

Breach Details

While specific technical details about how the attackers gained access to the email systems haven't been publicly disclosed, email-based healthcare breaches typically involve several common attack vectors:

Phishing Attacks: Cybercriminals may have sent deceptive emails to practice staff, tricking them into revealing login credentials or clicking malicious links that provided system access.

Credential Compromise: Weak passwords or reused credentials could have allowed attackers to gain unauthorized access to email accounts containing patient information.

Business Email Compromise (BEC): Sophisticated attackers may have compromised executive or administrative email accounts to access broader organizational communications and patient data.

Unpatched Vulnerabilities: Outdated email servers or security software could have provided entry points for cybercriminals to exploit known security flaws.

The fact that this breach affected email systems is particularly concerning because healthcare providers often use email to:

• Share patient records with specialists
• Communicate treatment plans
• Send appointment reminders
• Process insurance information
• Coordinate care between providers

What This Means for Patients

Patients affected by this breach may have had various types of sensitive information exposed, potentially including:

• Full names and contact information
• Social Security numbers
• Insurance information and policy numbers
• Medical record numbers
• Treatment histories and diagnoses
• Billing and payment information
• Prescription information

This information could be used by cybercriminals for identity theft, medical identity fraud, or financial fraud. Medical identity theft is particularly damaging because it can result in incorrect information being added to medical records, potentially affecting future healthcare decisions.

How to Protect Yourself

If you're a patient of Greater St. Louis Oral & Maxillofacial Surgery PC, take these immediate steps:

Monitor Your Accounts: Regularly check bank accounts, credit card statements, and insurance explanation of benefits (EOB) statements for unauthorized activity.

Review Credit Reports: Obtain free credit reports from all three major credit bureaus and look for accounts or inquiries you don't recognize.

Consider Credit Monitoring: Enroll in credit monitoring services to receive alerts about new accounts or changes to your credit profile.

Watch for Medical Identity Theft: Review all medical bills and insurance statements carefully. Report any services you didn't receive to your insurance company immediately.

Stay Alert for Phishing: Be suspicious of unexpected emails, calls, or texts requesting personal information, especially those claiming to be related to this breach.

Update Passwords: Change passwords for any healthcare portals or accounts that may have been affected.

Contact the Practice: Reach out to Greater St. Louis Oral & Maxillofacial Surgery PC directly to understand what specific information may have been compromised and what remediation steps they're taking.

Prevention Lessons for Healthcare Providers

This breach serves as a critical reminder for healthcare organizations about the importance of robust email security measures:

Implement Multi-Factor Authentication: Require additional verification steps beyond passwords for email access.

Regular Security Training: Provide ongoing cybersecurity awareness training to help staff identify and avoid phishing attempts.

Email Encryption: Use encrypted email solutions when transmitting patient information to protect data in transit.

Access Controls: Implement role-based access controls to limit who can access sensitive patient information via email.

Regular Security Assessments: Conduct periodic vulnerability assessments and penetration testing to identify potential weaknesses.

Incident Response Planning: Develop and regularly test incident response plans to ensure quick action when breaches occur.

Email Filtering: Deploy advanced email security solutions that can detect and block malicious emails before they reach staff inboxes.

The healthcare sector continues to be a prime target for cybercriminals, with email systems representing a significant vulnerability. As this incident demonstrates, even smaller specialized practices are at risk and must take proactive steps to protect patient information.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.