Medical billing giant Episource has confirmed a massive data breach, notifying over 5.4 million individuals across the United States that their sensitive health and personal information was compromised during a cyberattack earlier this year. The incident ranks among the largest healthcare security failures of 2024.
Scope of the Security Incident
According to data filed with the U.S. Department of Health and Human Services, the breach impacted approximately 5.4 million people. Episource, a subsidiary of UnitedHealth Group’s Optum division, specializes in billing adjustments for hospitals and healthcare organizations, granting the firm access to vast repositories of patient medical data.
In official notices submitted to regulators in California and Vermont, the company admitted that an unauthorized actor gained access to its systems, successfully copying patient and member files between January 31 and February 6.
What Data Was Stolen?
The compromised dataset is extensive, exposing both personally identifiable information (PII) and protected health information (PHI). Affected individuals face risks related to the exposure of:
- Personal Details: Full names, postal addresses, email addresses, and phone numbers.
- Medical Records: Medical record numbers, diagnostic data, treatment details, medication lists, imaging results, and test reports.
- Insurance Information: Health plan details, policy numbers, and member identification numbers.
Ransomware Behind the Attack
While Episource initially remained vague regarding the mechanics of the breach, Sharp Healthcare—a partner firm impacted by the incident—has officially confirmed that the Episource hack was triggered by a ransomware attack.
UnitedHealth’s Growing Security Challenges
This incident marks another major cybersecurity setback for UnitedHealth Group. The parent company has faced intense scrutiny following a series of security lapses within its subsidiaries:
- Change Healthcare: In February 2024, a ransomware attack on this UnitedHealth subsidiary resulted in the theft of personal and health data belonging to more than 190 million Americans, marking the largest healthcare data breach in U.S. history.
- Optum Exposure: Months after the Change Healthcare incident, the company’s Optum unit was found to have left an internal employee chatbot exposed to the public internet, further compromising internal claims data.