Massive data breach at Episource exposes medical records of over 5 million patients

A major data breach at healthcare services firm Episource has compromised the personal and medical information of more than 5.4 million individuals, marking one of the most significant healthcare cybersecurity incidents in recent months. The breach, discovered on February 6, 2025, reportedly allowed hackers to access sensitive data, including Social Security numbers, health insurance details, and diagnosis records.

Episource, a company owned by Optum under UnitedHealth Group, provides risk adjustment and medical coding services to healthcare providers and insurers. In a breach notice sent to clients, the company stated it detected “unusual activity” and subsequently shut down its computer systems to contain the threat. The attack is believed to have occurred between January 27 and February 6, 2025.

The breach was officially listed on the U.S. Department of Health and Human Services Office for Civil Rights’ data portal, which confirmed that 5,418,866 individuals were impacted. While not all clients of Episource were affected, the company has contacted those whose data may have been compromised.

According to the company’s disclosure, the potentially exposed information includes names, addresses, phone numbers, email addresses, health insurance data such as policy and member ID numbers, medical records, test results, diagnoses, prescriptions, and, in some cases, Social Security numbers and dates of birth. At this time, Episource reports no evidence that the stolen data has been misused.

Cybersecurity experts warn that the exposure of such detailed personal and medical information poses serious privacy risks. Analysts from Cybernews noted that victims could face identity theft, phishing attempts, and healthcare-related scams. Criminals may use the data to impersonate medical personnel or craft targeted attacks to extract even more information.

This breach is the latest in a series of damaging cybersecurity incidents linked to UnitedHealth Group. In early 2024, its subsidiary Change Healthcare was attacked by the ALPHV/BlackCat ransomware group, resulting in widespread service disruptions across the U.S. healthcare system. That breach reportedly led to a $22 million ransom payment and affected an estimated 190 million people—nearly half the U.S. population.

UnitedHealth Group plays a central role in the U.S. healthcare infrastructure, processing about half of all medical claims and operating tens of thousands of medical facilities, pharmacies, and laboratories nationwide.