Episource, a healthcare technology firm providing medical coding and risk adjustment services to health plans and providers, disclosed a data breach affecting over 5.4 million individuals, with official filings to the U.S. Department of Health and Human Services (HHS) listing 5,418,866 people impacted. The breach occurred between January 27 and February 6, 2025, when cybercriminals accessed and copied sensitive data from Episource’s systems.
The stolen information varied by individual but included a combination of the following:
• Personal identifiers: Name, address, phone number, email address, date of birth, Social Security number
• **Health insurance ** Health insurance ID numbers, Medicaid/Medicare ID numbers
• Medical information: Medical record numbers, treatment information, diagnoses, test results, images, and care details
Episource detected the breach on February 6, 2025, and responded by shutting down its computer systems, contacting law enforcement, and engaging cybersecurity experts to investigate. The company began notifying affected customers in April and has since been working with clients to coordinate individual notifications. Some clients, such as Sharp Healthcare, have issued their own breach notices for affected individuals.
Episource has stated there is currently no evidence of misuse of the compromised data and is offering affected individuals two years of complimentary credit monitoring and identity theft protection services. The incident has also prompted class action investigations due to the delayed public disclosure of the breach and the sensitive nature of the exposed information.
