UnitedHealth subsidiary Episource hit with data breach, millions affected

Over five million patients were affected after a massive data breach at Episource that exposed sensitive medical and personal information.

Episource, owned by Optum, a subsidiary of health insurance giant UnitedHealth Group, is an American healthcare services company that provides medical coding and risk adjustment services to doctors, health companies, and health insurance providers.

The data breach discovered by the company in February included the personal and medical data of over five million individuals. In the notice sent to affected clients, Episource explained that hackers had gained access to its systems earlier this year, potentially exposing everything from Social Security numbers to health insurance details and diagnosis records.

According to the breach portal managed by the US Department of Health and Human Services Office for Civil Rights, 5,418,866 individuals were affected by the hacker attack. Episource’s breach notice explains that not all its customers were affected, and the company has informed all impacted customers.

The company said it discovered the attack on February 6th, 2025. After noticing “unusual activity,” Episource had turned off its computer systems to protect clients' and patients' data, the breach notice said.

It’s likely that the attackers infiltrated the systems between January 27th, 2025, and February 6th, 2025. The investigation showed that attackers accessed the data and could have copied it.

Among the data potentially exposed are contact information (such as name, address, phone number, and email), plus one or more of the following sensitive information:

• Health insurance data: health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers
• Health data: medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment
• Other personal data: Social Security number in limited instances, or date of birth

The company claims that for the moment, it has no information about the data being misused or exploited.

According to Cybernews researchers, exposing personal details hampers individuals‘ privacy, opening them up to identity theft and phishing attacks.

Attackers could try to craft tailor-made intrusions, developing healthcare scams and social engineering attacks. For example, cybercriminals could impersonate medical staff to extract additional details from unsuspecting victims.

The biggest breach of a healthcare provider

Attackers have previously targeted UnitedHealth Group (UHG). Early in 2024, the ALPHV/BlackCat ransomware cartel penetrated UHG subsidiary Change Healthcare’s systems.

The UHG cyberattack sent shockwaves through the healthcare system, crippling pharmacies, stalling provider payments, and throwing patients into chaos as prescriptions went unfilled and bills piled up for practitioners.

UHG allegedly coughed up a staggering $22 million in ransom, an amount so massive it sparked infighting among the hackers themselves.

The ransomware gang BlackCat/ALPHV faked its own takedown and vanished with the cash, stiffing the affiliate who actually pulled off the attack. That affiliate, furious, aired their dirty laundry on dark web forums.

UHG CEO Andrew Witty later revealed that the attackers got in using stolen login credentials to the company’s remote access software Citrix portal.

At the beginning of 2025, the company revealed the number of people impacted by last year’s breach was 190 million, nearly double the numbers initially reported.

UHG processes about half of all American medical claims, cooperates with 900,000 physicians, and operates 33,000 pharmacies, 5,500 hospitals, and 600 laboratories.