Massive Healthcare Breach at UnitedHealth Subsidiary Episource Exposes Data of Over 5 Million Patients
Episource, a key healthcare services provider under UnitedHealth Group’s Optum division, has disclosed a significant data breach that exposed the sensitive personal and medical data of more than 5.4 million individuals. The company, which offers risk adjustment and medical coding services to healthcare providers and insurers, identified unauthorized access to its systems earlier this year.
The breach was discovered on February 6, 2025, after Episource detected unusual activity and took its systems offline to contain the threat. According to the company’s notification, the attackers may have had access to internal systems for up to 10 days—from January 27 to February 6.
Data potentially accessed or copied includes a broad set of personally identifiable information and medical details:
- Health insurance information: policy details, plan IDs, Medicaid/Medicare identifiers
- Health records: medical record numbers, provider names, diagnoses, lab results, prescriptions, and treatment plans
- Personal identifiers: names, addresses, phone numbers, emails, dates of birth, and in limited cases, Social Security numbers
While Episource claims that not all clients were affected and that all impacted parties have been notified, the breach appears to be one of the largest healthcare-related cybersecurity incidents so far this year. The Department of Health and Human Services’ breach portal confirms the number of affected individuals stands at 5,418,866.
In its public notice, Episource stated:
“We have no indication that the data has been misused. However, we are providing support to affected individuals and taking steps to enhance our system security.”
Cybersecurity experts warn that even if the data hasn’t yet been exploited, the exposed records could be used for identity theft, healthcare scams, or highly targeted phishing attempts. Criminals could impersonate doctors or insurers, using specific health details to gain trust and extract further information from victims.
The breach follows a string of damaging cyberattacks on UnitedHealth Group itself. In early 2024, the BlackCat/ALPHV ransomware group infiltrated another UHG subsidiary, Change Healthcare, causing widespread disruption to pharmacy and billing systems nationwide. UHG reportedly paid a $22 million ransom, which later triggered infighting among the ransomware gang’s affiliates.
Following that breach, UHG revised its total number of impacted individuals to 190 million—almost half the population of the United States—highlighting the staggering scale of its data reach.
UnitedHealth Group operates one of the largest healthcare data ecosystems in the US, processing roughly 50% of all medical claims across 33,000 pharmacies, 600 labs, and 5,500 hospitals.
As cybersecurity incidents in the healthcare sector grow more frequent and damaging, this latest breach adds urgency to strengthening data protection standards, especially in organizations handling high volumes of sensitive health data.
