In one of the largest healthcare cybersecurity incidents of 2025, Episource, a major healthcare analytics and billing services provider, has confirmed a data breach affecting more than 5.4 million individuals across the United States. The breach, which occurred between January 27 and February 6, 2025, was the result of unauthorized access to Episource’s IT network, during which attackers exfiltrated sensitive personal and medical data.
Details of the Breach
The breach was discovered on February 6, 2025, when Episource detected suspicious activity on its systems. The company promptly initiated an investigation with the assistance of third-party cybersecurity experts and notified law enforcement authorities. Preliminary findings indicate that attackers had persistent access to Episource’s network for roughly ten days, leveraging that window to steal data before systems were taken offline.
Although Episource has not publicly disclosed the specific nature of the cyberattack, evidence from affected partners and breach disclosures suggests it involved ransomware.
Data Compromised
According to a notification provided by Episource and filings with the U.S. Department of Health and Human Services, the following categories of data were compromised:
- Full names
- Social Security numbers
- Dates of birth
- Postal and email addresses
- Phone numbers
- Insurance policy numbers and health plan details
- Medicare/Medicaid identification numbers
- Medical record numbers
- Information relating to diagnoses, prescriptions, test results, provider details, and treatment history
No banking or payment card information was reportedly involved in the breach.
Affected Parties
More than 5.4 million individuals in the U.S. are confirmed to be affected, making this one of the largest healthcare data breaches so far in 2025. Episource provides risk adjustment and data analytics services to healthcare organizations nationwide, many of which may be indirectly impacted. Notably, Sharp Healthcare and Sharp Community Medical Group were named among those affected.
Episource is a subsidiary of Optum, which itself operates under UnitedHealth Group—making this breach part of a broader trend in third-party vendor vulnerabilities within the healthcare ecosystem.
Response and Remediation
In response to the breach, Episource took immediate steps to secure its systems, including temporarily shutting down network access and launching a comprehensive security review. The company began notifying affected individuals in April 2025 and is offering two years of complimentary identity protection and credit monitoring services through IDX.
Eligible individuals have until October 11, 2025, to enroll in these services.
In its official statement, Episource noted that there has been no indication, as of now, that the stolen data has been misused. Nevertheless, the company is advising all impacted individuals to remain vigilant against potential identity theft or fraud.
