Why trust Greenbot
Cybercriminals accessed personal and medical information belonging to 5.4 million Americans through a ransomware attack on Episource, a medical billing company that processes insurance claims for doctors and hospitals nationwide.
The breach occurred between January 27 and February 6, 2025, giving attackers ten days of undetected access to sensitive patient data. Episource discovered the intrusion on February 6 and immediately shut down its systems.
Stolen information includes names, addresses, phone numbers, and Social Security numbers. Medical records showing diagnoses, medications, test results, and treatment details were also taken. Health insurance policy numbers and Medicare data were also compromised.
“This breach signals that threat actors are shifting their focus from hospitals and clinics to third-party providers,” said Piyush Pandey, CEO at Pathlock. “This approach allows them to get access to massive amounts of PHI [patient information] at one time.”
Sharp Healthcare, one of Episource’s clients, confirmed the attack used ransomware. The breach ranks among the largest healthcare data thefts reported to federal authorities in 2025.
Episource is owned by Optum, which is part of UnitedHealth Group. This marks the second major cyber attack connected to UnitedHealth in just over a year. The Change Healthcare breach in February 2024 exposed data from 190 million Americans.
Security experts warn that stolen medical information poses greater risks than stolen credit card information. “The compromised data may include detailed medical histories linked to real identities,” said Preston Duren from Fortified Health Security. “Something much more valuable and harder to change than a credit card number.”
Pandey warns that stolen medical data can be misused for years in personalized scams and blackmail campaigns.
The method by which the hackers gained access remains unclear. Experts identify common weak spots, such as unsecured software connections, unpatched security holes, poorly protected cloud storage, or successful phishing emails targeting employees.
Medical billing companies have become prime targets because they handle patient information from multiple healthcare providers simultaneously. This setup lets criminals steal huge amounts of protected health data through a single break-in.
Episource started notifying affected customers about the breach on April 23, 2025. The company is offering two years of free credit monitoring through IDX identity protection services. Patients have until October 11, 2025, to sign up for these services.
The company states that it has strengthened its computer systems and is cooperating with law enforcement. Legal firm Edelson Lechtzin LLP has announced that it is investigating potential lawsuits on behalf of affected patients.
Healthcare organizations face growing pressure to secure relationships with outside vendors as attackers increasingly target these connected systems rather than individual medical facilities. The breach highlights how one compromised company can affect millions of patients across the healthcare system.
