- Episource suffered a cyberattack in late January 2025
- Sensitive data on 5.4 million people was taken
- The company is now notifying affected individuals
American healthcare data giant Episource has begun notifying its customers about a February 2025 data breach in which their sensitive information was stolen.
Episource is a healthcare data and technology company that helps health plans manage risk adjustment, quality measurement, and clinical data through analytics, coding, and technology solutions.
On February 6, 2025, the company spotted a threat actor breaching its defenses and accessing sensitive files it had stored on its devices. After shutting down the IT network, bringing in third-party forensics experts, and notifying law enforcement, the company determined that the attackers took “copies of some data” between January 27 and February 6, 2025.
Personally identifiable data
The data included health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
It also included health data such as medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment, as well as other personal data such as dates of birth or Social Security numbers (SSN).
In a separate report, filed in the meantime with the US Department of Health and Human Services Office for Civil Rights, Episource confirmed that exactly 5,418,866 people were affected by the attack.
Earlier reports also stated the company started notifying them on April 23, 2025, although these were unconfirmed reports.
Cybercriminals often target healthcare organizations for their data, since it can be abused in phishing, identity theft, and other forms of scams.
Crooks can use the data to craft personalized, convincing emails, which can trick the victims into downloading malware or sharing login credentials. That is why Episource is now urging impacted individuals to stay vigilant, and watch out for potential impersonation and scam attempts.
Via TechCrunch
