Healthcare SaaS Data Breach Exposes 5.4M Patient Records
▼ Summary
– Episource, a U.S. healthcare services company, suffered a data breach exposing health information of over 5.4 million people in a January 2025 cyberattack.
– Hackers accessed and copied sensitive data, including names, addresses, medical records, and Social Security numbers, between January 27 and February 6, 2025.
– The breach did not expose banking or payment card information, and Episource has not detected any misuse of the stolen data.
– The compromised data came from Episource’s healthcare provider and insurer clients, though not all clients were affected.
– Impacted individuals are advised to monitor for suspicious activity but will not receive separate notifications from their healthcare providers.
A major healthcare data breach has exposed sensitive information belonging to over 5.4 million patients across the United States. The incident involved Episource, a prominent healthcare services provider specializing in risk adjustment, medical coding, and data analytics for insurers and providers.
The company detected suspicious activity on its systems in early February 2025, later determining that unauthorized access occurred between January 27 and February 6. Hackers infiltrated the network, copying sensitive patient records before the breach was discovered. While Episource has stated there’s no evidence of misuse so far, the scale of the incident raises significant concerns.
Compromised data includes highly sensitive details such as full names, addresses, email and phone numbers, insurance plan information, Medicaid IDs, medical records (diagnoses, treatments, test results), dates of birth, and even Social Security numbers. Fortunately, financial data like credit card or banking details remained unaffected.
With 5,418,866 individuals impacted, this breach ranks among the largest healthcare-related security incidents in recent years. Episource filed the official report with the U.S. Department of Health and Human Services in June, though notifications to affected patients began in late April.
Since Episource works with multiple healthcare providers and insurers, the exposed data originated from its client organizations. The company hasn’t disclosed specific partners involved, clarifying that not all clients were affected. Patients will receive breach notifications directly from Episource rather than individual providers.
Those impacted should take precautions, including monitoring financial accounts for unusual activity, scrutinizing medical bills for unauthorized services, and remaining cautious of phishing attempts. Given the inclusion of Social Security numbers and medical histories, experts recommend credit monitoring and fraud alerts as additional protective measures.
This incident underscores the persistent risks in healthcare data security, particularly for third-party vendors handling vast amounts of sensitive patient information. As investigations continue, affected individuals must stay vigilant against potential identity theft and fraud.
(Source: Bleeping Computer)
