A data breach at medical billing company Episource has exposed the personal and health information of more than 5.4 million people across the US.
The breach, discovered on February 6 2025, allowed cybercriminals to access and copy files containing sensitive data. An internal investigation found that the attackers were inside the company’s systems for about 10 days, between January 27 and February 6. Episource temporarily shut down its systems to prevent further intrusion and notified law enforcement.
The compromised data varies by individual but includes names, addresses, phone numbers and email addresses. In many cases, the breach also involved Social Security numbers, dates of birth, insurance policy details, Medicaid and Medicare details, and protected health information (PHI) such as diagnoses, medications, test results and records of medical treatment.
“This breach signals that threat actors are shifting their focus from hospitals and clinics to third-party providers, because this approach allows them to get access to massive amounts of PHI at a time,” said Piyush Pandey, CEO at Pathlock.
“Once adversaries get their hands on this data, they can misuse it for many years ahead for highly personalized scams and blackmail campaigns.”
Read more on third-party risk in healthcare cybersecurity: Debt Collector Data Breach Affects 200,000 Harbin Clinic Patients
According to Episource, the following types of data have been potentially compromised:
-
Full name, phone number, email and physical address
-
Date of birth and, in some cases, Social Security number
-
Health insurance details, including members and policy numbers
-
Medical data, including diagnoses, prescriptions and imaging
-
Medicaid and Medicare identification numbers
Episource, owned by Optum, a subsidiary of UnitedHealth Group, provides coding and risk adjustment services to insurers, doctors and hospitals.
Sharp Healthcare, one of Episource’s partners, confirmed the breach was caused by ransomware.
“This incident once again highlights the necessity of preventing unauthorized lateral movement within one’s network,” said Guru Gurushankar, SVP at ColorTokens.
“Organizations have to become breach-ready – this is essential to survival.”
Commenting on the news, James Maude, field CTO at BeyondTrust, emphasized: “Every device and external connection in this ecosystem represents a potential entry point for attackers. This toxic combination of vulnerabilities and access is a prime example of why healthcare has become such attractive targets.”
To reduce risk, Episource is offering free identity protection and credit monitoring. However, the breach has sparked broader concern.
“A breach of this scale drives compliance risks and more stringent regulatory scrutiny for every entity in the healthcare supply chain,” Pandey noted.
“By implementing a privileged remote access strategy, we can eliminate those common entry points for infection, build cyber-resilience and focus on patient health,” added Maude.
