Episource data breach exposes personal information of nearly 25,000 individuals

Episource, a U.S.-based provider of healthcare technology and services, disclosed that a data security incident earlier this year exposed the sensitive personal information of nearly 25,000 individuals.

 

Headquartered in Gardena, California, Episource provides end-to-end risk adjustment solutions, including data analytics, record retrieval, coding, and encounter submissions—to help healthcare organisations manage patient data and quality initiatives across Medicare, Medicaid, and commercial markets.

 

In a data security incident notice published on its website, Episource said that on February 6, it identified suspicious activity within its internal network. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

As a precaution, Episource took the affected network offline and notified relevant law enforcement authorities about the incident.

 

“We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems. This happened between January 27, 2025 and February 6, 2025,” Episource said.

 

The compromised data included names, addresses, Social Security numbers, phone numbers and email addresses, health insurance data such as health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers, medical record numbers, doctors, diagnoses, medicines, test results, images, care, and more.

 

In a filing with the Office of Texas Attorney General, Episource said that it has identified at least 24,259 individuals impacted by the incident.

 

While Episource found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered complimentary identity protection and credit monitoring services through IDX to all affected individuals.

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on Episource. The healthcare service provider also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.