Episource data breach exposes sensitive information of over 5.4 million individuals

U.S.-based provider of healthcare technology and services, Episource said the data security incident it suffered earlier this year exposed the sensitive personal information of more than 5.4 million individuals.

 

Episource, based in Gardena, California, offers end-to-end risk adjustment solutions, including data analytics, coding, and encounter submissions, to help healthcare organisations manage patient data across Medicare, Medicaid, and commercial markets.

 

In a data security incident notice published on its website, Episource said that on February 6, it identified suspicious activity within its internal network. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

As a precaution, Episource took the affected network offline and notified relevant law enforcement authorities about the incident.

 

“We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems. This happened between January 27, 2025 and February 6, 2025,” Episource said.

 

The compromised data included names, addresses, Social Security numbers, phone numbers and email addresses, health insurance data such as health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers, medical record numbers, doctors, diagnoses, medicines, test results, images, care, and more.

 

Initially, in a filing with the Office of Texas Attorney General, Episource said that it has identified 24,259 Texans impacted by the incident. However, in a recent filing with the U.S. Department of Health and Human Services Office for Civil Rights the company said at least 5,418,866 individuals were affected by the incident.

 

While Episource found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered complimentary identity protection and credit monitoring services through IDX to all affected individuals.

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on Episource. The healthcare service provider also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.