Pierluigi Paganini June 18, 2025

Data breach at Healthcare services company Episource exposes personal and health data of over 5.4 million people in major cyberattack.

A cyberattack on healthcare firm Episource led to a data breach exposing personal and health data of over 5.4 million individuals.

Episource is a U.S.-based healthcare services and technology company that provides risk adjustment services, clinical data analytics, and medical record review solutions to health plans and healthcare organizations, particularly those operating in Medicare Advantage, Medicaid, and ACA markets.

On February 6, 2025, the company detected suspicious activity in its systems. A threat actor accessed and copied data between January 27 and February 6. In response to the security breach, Episource shut down its systems, launched an investigation with the help of experts, and notified law enforcement. The firm is not aware of any reported misuse of the data so far.

“On February 6, 2025, Episource found unusual activity in our computer systems.  We quickly took steps to stop the activity.  We began investigating right away and hired a special team to help us.  We also called law enforcement.  We turned off our computer systems to help protect the customers we work with and their patients and members.” reads the notice of data breach published on its website.

“We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems.  This happened between January 27, 2025 and February 6, 2025.  To date, we are not aware of any misuse of the data.”

The exposed data varied by individual and may have included contact details, health insurance info, medical records, and, in limited cases, Social Security numbers or birth dates.

“Starting on April 23, 2025, we began notifying our customers about which individuals and specific data may have been involved.” continues the notice. “The data that may have been seen and taken was not the same for everyone and may have included contact information (such as name, address, phone number and email), plus one or more of the following:

• Other personal data such as Social Security number (in limited instances) or date of birth”
• Health insurance data such as health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers;
• Health data such as medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment;

Though financial data was mostly unaffected, individuals should monitor health, financial, and tax records for suspicious activity and report any anomalies to relevant institutions or authorities.

Healthcare organizations continue to be under attack. In April, Yale New Haven Health (YNHHS) disclosed a data breach that exposed personal information of 5.5 million patients following a cyberattack that occurred earlier this month.

Yale New Haven Health System (YNHHS) is a nonprofit healthcare network headquartered in New Haven, Connecticut. It stands as the largest healthcare system in the state, encompassing a comprehensive array of medical services and facilities.​

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)