Missouri Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Missouri sits at the crossroads of American commerce, with a diverse economy spanning financial services in St. Louis and Kansas City, one of the nation's largest concentrations of healthcare systems, and an agricultural sector that ranks in the top ten nationally for cattle, soybeans, and corn production. That economic diversity translates into a broad attack surface for cybercriminals, who have targeted Missouri organizations ranging from state government agencies to hospital networks to professional sports franchises. The incidents documented below are not abstract possibilities — they are real compromises that exposed millions of records and cost Missouri organizations millions of dollars in remediation.

Studying these Missouri-specific cyber threats is essential for any organization operating in the state. Each breach reveals specific weaknesses — unpatched web applications, inadequate access controls, phishing vulnerabilities — that persist in many Missouri businesses today. The timeline below provides the factual record that should inform your security planning and investment decisions.

Major Cyber Incidents in Missouri: A Timeline

2015 — St. Louis Cardinals Hacking of Houston Astros

In one of the most unusual cybercrime cases in U.S. history, former St. Louis Cardinals scouting director Chris Correa was charged with unauthorized access to the Houston Astros' proprietary player personnel database, known as Ground Control. Correa used credentials that a former Cardinals employee had carried to the Astros to access their system at least 48 times between March 2013 and June 2014, stealing trade discussions, scouting reports, and statistical analyses. In July 2016, Correa was sentenced to 46 months in federal prison and ordered to pay $279,038 in restitution. The Cardinals organization paid the Astros $2 million in damages as determined by MLB's Commissioner. The case demonstrated that credential reuse — even across organizations — creates serious unauthorized access risks.

2018 — BJC HealthCare Phishing Breach

BJC HealthCare, one of the largest nonprofit healthcare organizations in Missouri with 15 hospitals across the St. Louis region, disclosed in 2018 that a phishing attack had compromised employee email accounts containing protected health information. The breach affected approximately 33,420 patients, exposing names, dates of birth, Social Security numbers, medical record numbers, and clinical information. BJC reported that three employee email accounts were accessed by unauthorized individuals between March 6 and March 8, 2018. The organization implemented additional email security controls and phishing awareness training in response. For organizations in similar positions, healthcare-focused IT security programs can help reduce exposure to phishing-based compromises.

2019 — Missouri Department of Public Safety Ransomware

The Missouri Department of Public Safety experienced a ransomware incident in 2019 that disrupted internal systems. While the department stated that no personal data was exfiltrated, the attack temporarily affected operations and prompted a review of cybersecurity practices across Missouri state agencies. The incident contributed to increased legislative attention to state government cybersecurity funding in subsequent budget cycles.

2021 — Missouri DESE Teacher SSN Exposure

In October 2021, a St. Louis Post-Dispatch reporter discovered that the Missouri Department of Elementary and Secondary Education (DESE) website was exposing the Social Security numbers of approximately 100,000 teachers and school administrators in the HTML source code of publicly accessible web pages. The reporter, Josh Renaud, responsibly disclosed the vulnerability to DESE before publishing his story, giving the agency time to remediate the issue. Governor Mike Parson's response became a national controversy when he announced at a press conference that the reporter would be investigated for "hacking" under Missouri's computer tampering statute (Mo. Rev. Stat. 569.095), claiming that viewing the page's source code constituted unauthorized access. The investigation was ultimately referred to the Cole County prosecutor, who declined to file charges in February 2022. The incident highlighted both the risks of exposing sensitive data in unprotected web applications and the importance of having clear vulnerability disclosure policies. The remediation cost to the state was estimated at $50,000 for the website fix alone.

2022 — Cass County Ransomware Attack

Cass County, located south of Kansas City, was hit by a ransomware attack in 2022 that disrupted county government operations for several weeks. The attack forced the county to take systems offline, affecting property tax records, the county assessor's office, and other public-facing services. County officials worked with federal law enforcement and cybersecurity firms to restore operations. The incident illustrated the vulnerability of smaller county governments that often operate with limited IT budgets and aging infrastructure.

2023 — University of Missouri Health Care Breach

The University of Missouri Health Care system disclosed a data breach in 2023 affecting patient records after an unauthorized individual gained access to employee email accounts. The compromised accounts contained patient names, dates of birth, medical record numbers, and limited clinical information. MU Health Care notified affected patients and offered credit monitoring services. The breach underscored the ongoing vulnerability of academic medical centers, which must balance open research environments with the security requirements of patient data protection.

Missouri Breach Notification Requirements

Missouri's breach notification law, codified in Mo. Rev. Stat. 407.1500, requires any person or entity that owns or licenses personal information of Missouri residents to notify affected individuals without unreasonable delay after discovery of a breach. The statute does not specify a fixed deadline in days, instead using the "without unreasonable delay" standard, which courts have generally interpreted as requiring notification as promptly as possible given the need to determine the scope of the breach and restore system integrity. For a comprehensive analysis of Missouri's regulatory framework, see our Missouri cybersecurity compliance guide.

If a breach affects more than 1,000 Missouri residents, the entity must also notify the Missouri Attorney General's office. The law covers personal information defined as a Missouri resident's name in combination with Social Security number, driver's license number, financial account number with access credentials, or medical or health insurance information. Violations can result in enforcement actions by the Attorney General under the Missouri Merchandising Practices Act.

Which Missouri Industries Are Most Targeted?

Healthcare

Missouri is home to BJC HealthCare, SSM Health, Mercy, and the University of Missouri Health Care system, among others. Healthcare organizations generate enormous volumes of protected health information that commands high prices on dark web markets. The BJC and MU Health Care breaches demonstrate that even large, well-resourced health systems remain vulnerable to phishing and credential-based attacks.

Financial Services

St. Louis and Kansas City serve as headquarters for major financial firms including Edward Jones, Stifel Financial, and numerous regional banks and insurance companies. Financial institutions face persistent threats from both cybercriminal organizations seeking wire transfer fraud and nation-state actors conducting economic espionage. Understanding the managed IT security services landscape is critical for firms in this sector.

State and Local Government

The DESE data exposure and Cass County ransomware attack illustrate the challenges facing Missouri government agencies at all levels. Many county and municipal governments operate with minimal IT staff, outdated systems, and limited cybersecurity budgets, making them attractive targets for ransomware gangs that calculate these entities are more likely to pay ransoms to restore critical public services.

Protecting Your Missouri Organization

The pattern across Missouri incidents is clear: phishing, credential compromise, and unpatched or misconfigured web applications account for the vast majority of initial access vectors. Missouri businesses should prioritize the following measures:

• Implement multi-factor authentication on all email accounts, VPN access, and administrative systems — the BJC and MU Health Care breaches both originated from compromised email credentials

• Conduct regular web application security assessments — the DESE incident demonstrated that sensitive data can be inadvertently exposed in publicly accessible page source code

• Establish a vulnerability disclosure policy so that security researchers can report issues without legal ambiguity, learning from the DESE controversy

• Maintain tested offline backups to ensure recovery from ransomware without paying attackers, as Cass County and other local governments have learned

• Train employees regularly on phishing recognition with simulated phishing exercises specific to your industry

Organizations without dedicated security teams should consider partnering with managed IT services providers or managed security services firms that can provide continuous monitoring, vulnerability management, and incident response capabilities.

Frequently Asked Questions

How quickly must a Missouri business report a data breach?

Under Mo. Rev. Stat. 407.1500, Missouri businesses must notify affected individuals "without unreasonable delay" after discovering a breach. The statute does not impose a specific number of days, but delay must be justified by the needs of law enforcement or the time required to determine the scope of the breach and restore system integrity. If 1,000 or more Missouri residents are affected, the business must also notify the Missouri Attorney General.

What happened with the DESE teacher data exposure in 2021?

A St. Louis Post-Dispatch reporter discovered that DESE's website was exposing Social Security numbers of approximately 100,000 teachers in the HTML source code of publicly accessible pages. After the reporter responsibly disclosed the vulnerability, Governor Parson controversially announced the reporter would be investigated for "hacking." The Cole County prosecutor ultimately declined to file charges in February 2022, and the state fixed the vulnerability at an estimated cost of $50,000.

Was anyone prosecuted in the St. Louis Cardinals hacking case?

Yes. Chris Correa, the Cardinals' former scouting director, pleaded guilty to five counts of unauthorized access to a protected computer. He was sentenced to 46 months in federal prison in July 2016 and ordered to pay $279,038 in restitution. The Cardinals organization separately paid the Houston Astros $2 million in damages as ordered by the MLB Commissioner.

Which Missouri counties have been hit by ransomware?

Cass County, located south of Kansas City, experienced a significant ransomware attack in 2022 that disrupted county government operations for weeks. Other Missouri counties and municipalities have experienced similar incidents, though many are not publicly disclosed in detail. Local governments across Missouri remain particularly vulnerable due to limited IT budgets and aging infrastructure.

Does Missouri have a state cybersecurity office?

Missouri's cybersecurity efforts for state government are coordinated through the Missouri Office of Administration's Information Technology Services Division (ITSD). The state also participates in the Multi-State Information Sharing and Analysis Center (MS-ISAC). However, Missouri does not have a standalone cybersecurity agency equivalent to what some larger states have established. The DESE incident in 2021 prompted increased scrutiny of state agency cybersecurity practices and renewed discussions about centralizing security oversight.