Major Data Breach at Episource Exposes Sensitive Data of 5.4 Million Individuals

TL;DR

A significant data breach at Episource, a healthcare services company, compromised the personal and health data of over 5.4 million individuals. The incident, detected on February 6, 2025, involved a cyberattack that accessed sensitive information between January 27 and February 6. Episource has since launched an investigation and notified affected parties.

Major Data Breach at Episource Impacts 5.4 Million People

A cyberattack on Episource, a U.S.-based healthcare services, and technology company has resulted in a data breach affecting over 5.4 million individuals. The breach, detected on February 6, 2025, exposed personal and health data, prompting an immediate response from the company.

Episource provides risk adjustment services, clinical data analytics, and medical record review solutions to health plans and healthcare organizations, particularly those operating in Medicare Advantage, Medicaid, and ACA markets. The company’s critical role in the healthcare ecosystem makes this breach particularly concerning.

Timeline and Response

On February 6, 2025, Episource detected unusual activity in its systems. An investigation revealed that a threat actor had accessed and copied data between January 27 and February 6. In response, Episource shut down its systems, launched an investigation with the help of experts, and notified law enforcement. To date, there have been no reports of misuse of the exposed data.

“On February 6, 2025, Episource found unusual activity in our computer systems. We quickly took steps to stop the activity. We began investigating right away and hired a special team to help us. We also called law enforcement. We turned off our computer systems to help protect the customers we work with and their patients and members.” ¹

The exposed data varied by individual and may have included:

• Contact Details: Name, address, phone number, and email.
• Health Insurance Info: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
• Medical Records: Medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment.
• Sensitive Information: In limited cases, Social Security numbers or birth dates.

Impact and Recommendations

Although financial data was mostly unaffected, individuals are advised to monitor their health, financial, and tax records for suspicious activity. Any anomalies should be reported to relevant institutions or authorities.

“Starting on April 23, 2025, we began notifying our customers about which individuals and specific data may have been involved. The data that may have been seen and taken was not the same for everyone and may have included contact information (such as name, address, phone number and email), plus one or more of the following: Other personal data such as Social Security number (in limited instances) or date of birth; Health insurance data such as health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers; Health data such as medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment.” ¹

Broader Implications

Healthcare organizations continue to be prime targets for cyberattacks. In April, Yale New Haven Health (YNHHS) disclosed a data breach that exposed the personal information of 5.5 million patients following a cyberattack. YNHHS is a nonprofit healthcare network headquartered in New Haven, Connecticut, and the largest healthcare system in the state.

For more details, visit the full article: source

Conclusion

The data breach at Episource highlights the ongoing vulnerabilities in the healthcare sector. As cyber threats continue to evolve, it is crucial for healthcare organizations to prioritize cybersecurity measures to protect sensitive patient data.

References

1. Episource (2025). “Notice of Data Breach”. Episource. Retrieved 2025-06-18. ↩︎ ↩︎²