A cyberattack on a healthcare software firm has compromised sensitive medical and personal data linked to multiple US insurers and providers.
Healthcare services provider Episource disclosed a data breach that exposed the information of approximately 5.4 million individuals. The company detected unusual activity in its systems on February 6, 2025, and later confirmed that attackers had accessed and copied data between January 27 and the date of discovery.
Episource supports health plans and providers by offering technology and analytics solutions, especially for Medicare Advantage and Medicaid programs. The breach impacted data associated with patients whose information was shared with Episource by its clients.
In its public notice, Episource confirmed that hackers were able to view and copy sensitive data, including medical records, diagnoses, test results, and insurance plan information. Personal identifiers such as names, Social Security numbers, dates of birth, and contact details were also among the compromised data types. However, the company stated that no banking or credit card information was affected.
The breach was reported to the U.S. Department of Health and Human Services’ Office for Civil Rights, which published the total affected count, 5,418,866 people, on June 17. Episource began notifying impacted individuals in April, although the formal count was submitted to regulators in early June.
While the company has not named the specific providers involved, it clarified that the breach did not affect all of its clients. Notifications are being issued on behalf of its clients, meaning patients will not receive additional notices directly from their healthcare providers.
In its breach notice, Episource says, “We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems… To date, we are not aware of any misuse of the data.”
The company has advised affected individuals to remain alert to unfamiliar communications, double-check benefit statements for services they did not receive, and monitor financial accounts for suspicious activity, even though no payment data was included in the breach.
Third-party vendors often serve multiple providers and aggregate large volumes of data, making them attractive, high-impact targets for cybercriminals.
Notifications are being sent by Episource on behalf of affected providers. Individuals unsure about their status should contact their insurance provider or check Episource’s website for support.
Monitor your insurance and credit accounts, review Explanation of Benefits (EOB) statements for suspicious charges, and consider placing a fraud alert or credit freeze if Social Security numbers were involved.
Depending on the severity and cause, the breach may trigger investigations by federal and state regulators, potential HIPAA enforcement actions, and class-action lawsuits from affected individuals.
Generally, no. Providers rely on business associates like Episource for operational services, and data sharing is allowed under HIPAA as long as safeguards are in place. Patients can request information on how their data is used, but opting out may not be feasible without impacting care or coverage.