UnitedHealth-Linked Health Tech Firm Episource Breach Hits 5.4M Patients

Episource, a company specialising in medical billing, is currently informing more than 5.4 million individuals across the United States that their personal and health information was stolen in a cyberattack earlier this year.

This incident, impacting a significant number of Americans, stands as a major healthcare data breach reported in 2025 so far, according to data from the US Department of Health and Human Services.

Episource, which is part of Optum, a subsidiary of UnitedHealth Group, plays a crucial role in the healthcare system. As a medical billing company, it works with doctors, hospitals, and other healthcare providers to process claims through health insurance. This means they handle vast amounts of sensitive patient data.

In notices filed with authorities in California and Vermont, Episource stated that a cybercriminal gained unauthorised access to their systems. The company discovered unusual activity in their computer systems on February 6, 2025.

Investigations revealed that between January 27, 2025, and February 6, 2025, the attacker was able to view and copy various types of patient and member data from Episource’s systems.

Although Episource has not publicly detailed the specific nature of the attack, Sharp Healthcare, one of their clients impacted by the breach, has informed its customers that the incident was caused by ransomware.

“On April 24, 2025, Episource, a Sharp HealthCare and Sharp Community Medical Group business associate, confirmed Sharp was one of their customers affected by a ransomware data breach,” the company noted in its breach notification.

The stolen information is extensive and includes sensitive personal and health details. This covers basic contact information like names, postal and email addresses, and phone numbers.

More critically, the breach exposed protected health data, such as medical record numbers, information about doctors, diagnoses, medications, test results, imaging, and details regarding care and treatment. Additionally, health insurance information, including health plans, policy details, and member numbers, was also taken.

Episource began notifying affected customers about the specific data involved on April 23, 2025. The company has since taken steps to strengthen its computer systems and has engaged with law enforcement to investigate the incident.

To assist those affected, Episource is offering two years of free credit monitoring and identity theft protection services through IDX. Individuals have until October 11, 2025, to enroll in these services.

The company advises everyone to carefully check statements from healthcare providers, insurance companies, and financial institutions for any suspicious activity and to report any concerns immediately to the relevant authorities.

“This breach signals that threat actors are shifting their focus from hospitals and clinics to third-party providers, because this approach allows them to get access to massive amounts of PHI at a time,“ said Mr. Piyush Pandey, CEO at Pathlock.

“Once adversaries get their hands on this data, they can misuse it for many years ahead for highly personalised scams and blackmail campaigns. A breach of this scale drives compliance risks and more stringent regulatory scrutiny for every entity in the healthcare supply chain,” he emphasised.

This is the second major data breach tied to UnitedHealth Group within just over a year. HackRead previously reported that a ransomware attack on UnitedHealth’s Change Healthcare unit in February 2024 exposed data from around 190 million Americans, making it one of the largest healthcare leaks ever.

Now, UnitedHealth‑linked firm Episource has suffered yet another breach, with 5.4 million patients affected, showing a problematic pattern of cybersecurity vulnerability across entities connected to UnitedHealth.