Data breach at healthcare services firm Episource affects 5.4M

Dive Brief:

• A data breach at healthcare services firm Episource exposed information from 5.4 million people, according to a report submitted earlier this month to federal regulators.
• The company detected unusual activity on its computer systems in February, and an investigation found a cybercriminal had accessed and stolen some of its data, Episource said in a breach notification. 
• The incident is one of the largest healthcare data breaches reported to the HHS’ Office for Civil Rights so far this year, second only to a breach at Yale New Haven Health System, which exposed the health information of about 5.6 million people.

Dive Insight: 

Episource offers medical coding and risk adjustment services to providers, health plans and other healthcare organizations. 

Data exposed in the breach may include contact information, health insurance details and health data, like medical record numbers, doctors, diagnoses, test results and treatment. Other personal information like Social Security numbers and birth dates could also be compromised.

Episource isn’t aware of any misuse of data to date, the company said in its breach notice. 

Not all of the firm’s customers were affected, and Episource is working with impacted healthcare organizations to notify individuals with exposed data, according to the notice. 

One affected customer is Sharp Healthcare, which reported that Episource confirmed in late April that the San Diego-based health system was impacted by the “ransomware data breach.” Earlier this month, Sharp and its medical group reported breaches to OCR that affected more than 24,000 and 2,000 individuals, respectively. 

The incident at Episources comes as the number of data breaches in the healthcare sector has soared, driven by hacking and ransomware, a type of malware that denies users access to their data until a ransom is paid.

Cyberattacks can also expose significant amounts of patient data. Last year, a ransomware attack on UnitedHealth subsidiary Change Healthcare compromised data from a record-breaking 190 million people.

Millions of people continue to be impacted by healthcare breaches in 2025. The breach at Yale reported this spring took place after an unauthorized third party gained access to its network.

Additionally, 4.7 million individuals were affected by a breach at Blue Shield of California after the insurer learned Google Analytics, a vendor Blue Shield employs to track use of its websites, was sharing member data with the advertising service Google Ads for several years.