Episource warns of a data breach after hackers stole health information of over 5 million people in the United States in a January cyberattack.
Episource is an American healthcare services company that provides risk adjustment, medical coding, data analytics, and technology solutions to health plans and providers. They help insurers optimize payments and compliance in government programs like Medicare Advantage.
In a data breach notification on its website, Episource says it detected unusual activity on its systems on February 6, 2025. An investigation revealed that hackers accessed and exfiltrated sensitive data stored on these systems between January 27 and the time of the discovery.
“We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems,” explains Episource.
“This happened between January 27, 2025 and February 6, 2025. To date, we are not aware of any misuse of the data.”
The exposed data varied per individual but may include one or more of the following data types:
- Full name
- Physical address
- Email address
- Phone number
- Insurance plan information
- Medicaid ID and information
- Medical record details (diagnoses, test results, medications, images, treatments)
- Date of birth
- Social Security number (SSN)
The statement underlines that no banking or payment card information has been exposed due to this incident.
A filing at the U.S. Department of Health and Human Services Office for Civil Rights’s breach portal says the cyberattack impacted 5,418,866 people.
Although Episource has begun notifying impacted individuals since April 23, 2025, the number of exposed people was submitted to the authorities on June 6 and published yesterday.
Episource serves multiple healthcare providers and insurers, and the data exposed in this incident comes from these clients.
The notice does not name any specific providers whose data was involved, and Episource says not all of its clients were impacted by this incident.
The notifications sent to affected patients are on behalf of Episource’s clients, so these people will not be receiving separate notices from the providers.
Impacted individuals are advised to stay vigilant against unsolicited communications, review their benefits statement for services they didn’t receive, and monitor bank and credit card statements for suspicious activity.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.