Medical billing giant Episource is notifying millions of people across the United States that their personal and health information was stolen in a cyberattack earlier this year.
The breach affects more than 5.4 million people, according to a listing with the U.S. Department of Health and Human Services, making it one of the largest healthcare breaches of the year so far.
Episource, owned by health insurance giant UnitedHealth Group’s subsidiary Optum, provides billing adjustment to the doctors, hospitals, and other organizations that work in the healthcare industry. As such, the company handles large amounts of patients’ personal and medical data to process claims through their health insurance.
In notices filed in California and Vermont on Friday, Episource said a criminal was able to “see and take copies” of patient and member data from its systems during the weeklong breach ending February 6.
The stolen information includes personal information, such as names, postal and email addresses, and phone numbers, as well as protected health data, including medical record numbers, and data relating to doctors, diagnoses, medications, test results, imaging, care, and other treatment. The stolen data also contains health insurance information, like health plans, policies, and member numbers.
Episource did not describe the nature of the incident, but Sharp Healthcare, one of the companies that works with Episource and was affected by the cyberattack, told its customers that the Episource hack was caused by ransomware.
This is the latest cybersecurity incident to hit UnitedHealth in recent years.
Change Healthcare, one of the largest companies in the U.S. healthcare industry that processes billions of health transactions each year, was hacked by a ransomware gang in February 2024, leading to the theft of more than 190 million Americans’ personal and health information. The cyberattack was the largest healthcare data breach in U.S. history.
Several months later, UnitedHealth’s Optum unit left an internal chatbot used by employees to ask about claims exposed to the internet.
