A major healthcare data breach has come to light involving Episource, a U.S.-based healthcare SaaS provider. In a cyberattack that began in late January 2025, attackers infiltrated the company’s systems and exfiltrated sensitive patient information belonging to over 5.4 million individuals across the United States.
The breach marks one of the largest incidents in the healthcare sector this year and highlights growing concerns over cybersecurity gaps in healthcare technology vendors that handle protected health information on behalf of insurers and providers.
Episource Data Breach Timeline and Discovery
Episource first detected abnormal activity on February 6, 2025, prompting an internal investigation. It was later confirmed that hackers had gained access and stolen data between January 27 and February 6.
“We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems,” the company stated.
Although the company said there is no current evidence of misuse, the impact is significant, and affected individuals are being notified.
What Data Was Exposed?
The types of exposed data vary but may include highly sensitive health and identity details:
- Full names
- Physical addresses
- Email addresses and phone numbers
- Date of birth
- Social Security numbers
- Medicaid ID and plan information
- Medical records (diagnoses, test results, treatment data, imaging)
Notably, no financial account or payment card information was involved in the breach.
Scope of the Incident
According to a breach report filed with the U.S. Department of Health and Human Services (HHS), the number of impacted individuals totals 5,418,866. The report was submitted on June 6 and publicly posted on June 13, even though Episource began issuing notifications to affected patients back on April 23.
Episource confirmed that the compromised data originated from multiple health providers and insurers it serves. However, not all Episource clients were affected, and the company has not named any specific healthcare entities whose data was involved.
Notifications and Risk Mitigation
Because Episource serves healthcare insurers and providers, the breach notifications are being sent on behalf of those organizations, not directly from them. Patients will not receive duplicate notifications from their providers.
Episource urges all affected individuals to take basic protective actions:
- Be wary of unsolicited emails or calls
- Review healthcare benefit statements for unrecognized charges
- Monitor credit reports and bank statements for suspicious activity
A Cautionary Signal to the Healthcare Sector
As the healthcare sector becomes more dependent on third-party technology providers, cyberattacks targeting vendors like Episource are increasing in scale and frequency. Given the sensitivity of health records and regulatory implications under HIPAA, such breaches demand swift response and transparent communication with the public.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
