Hackers steal data from over 5 million patients in Episource breach

The US is investigating a breach of personal data of 5.4 million people linked to a cyberattack on Episource, a healthcare technology company. The attackers stole Social Security numbers, medical records and other sensitive data.

Episource, a California-based company, said that between January 27 and February 6, 2025, hackers stole a large amount of data from its infrastructure. Reports to the US Department of Health and Human Services indicate that 5,418,866 people were affected. The compromised files included information on Social Security numbers, Medicare/Medicaid IDs, medical records including diagnoses, test results, images and treatment information. The company was forced to temporarily shut down its systems to prevent the attack from spreading further, and has yet to provide any official comments to the press. Victims are advised to carefully review their medical records and to contact a dedicated hotline.

Episource provides medical coding and risk analytics for doctors and insurance companies. The victims were either doctors or members of health plans affiliated with the company. Episource had already experienced a data breach in 2023. That same year, it was acquired by Optum, a subsidiary of UnitedHealth. In February 2024, Optum also suffered a massive cyberattack through its subsidiary Change Healthcare, which compromised 190 million medical records.

• The incident illustrates the catastrophic vulnerability of healthcare infrastructure, even at the largest healthcare companies. While this is not the first time Episource has been at the center of a cyber scandal, the scale of the breach is unprecedented. The vulnerability of patient data requires immediate security upgrades across the industry, from local clinics to corporate giants like Optum.