Episource LLC, a medical coding and risk adjustment services provider owned by UnitedHealth Group's Optum division, has disclosed a cyberattack that compromised the protected health information of 6,725,572 individuals. The company detected suspicious network activity on February 6, 2025, and immediately shut down all computer systems. A forensic investigation later confirmed that unauthorized access occurred between January 27 and February 6, 2025, during which attackers exfiltrated patient data files.

The breach now ranks as the third-largest healthcare data breach of 2025, trailing only Aflac's 13.9 million-record incident and Conduent Business Services' 62.2 million-record breach. It also places 16th among the largest healthcare data breaches ever recorded. The threat actor responsible for the attack remains unidentified, though the incident appears consistent with a ransomware operation based on the pattern of data exfiltration.

Compromised data varied by individual but included names, addresses, phone numbers, email addresses, and dates of birth. Health-related information exposed in the breach included diagnosis and treatment details, prescriptions, test results, medical images, medical record numbers, and physician names. Health plan information such as policy details, member and group ID numbers, and Medicare or Medicaid payor identifiers was also accessed. Episource began notifying affected individuals on a rolling basis starting April 23, 2025, and reported the breach to California authorities on June 6, 2025.

The incident has drawn scrutiny from U.S. senators concerned about UnitedHealth Group's cybersecurity practices following multiple major breaches. In August, Senators Bill Cassidy and Maggie Hassan sent a letter to UnitedHealth Group CEO Stephen Hemsley questioning the company's ability to secure systems after acquisitions, citing both this breach and the 2024 Change Healthcare incident that affected 192.7 million people. The senators requested details about security improvements implemented since these events, though UnitedHealth Group's responses have not been made public.

Episource is offering affected individuals two years of complimentary credit monitoring and identity theft protection services. The company stated it is strengthening system security measures to prevent similar incidents. Healthcare clients confirmed to be affected include Sharp HealthCare (24,971 individuals), Sharp Community Medical Group (2,029 individuals), and Wellcare, though the full extent of client impact remains unclear. Organizations should review their vendor security assessments and ensure business associates maintain adequate cybersecurity controls to protect patient data.

Source: https://www.hipaajournal.com/episource-data-breach/