Episource is notifying millions of people that their health data was stolen

Episource, a major player in medical billing, has alerted millions of individuals across the United States about a significant cyberattack that compromised their personal and health information earlier this year. This breach is reported to impact over 5.4 million people, as indicated in a report from the U.S. Department of Health and Human Services, marking it as one of the most substantial healthcare data breaches of 2023. Owned by Optum, a subsidiary of UnitedHealth Group, Episource is responsible for billing adjustments for various healthcare providers, which involves handling vast amounts of sensitive patient information to facilitate claims processing. The company disclosed in notices sent to authorities in California and Vermont that the breach, which lasted approximately a week and concluded on February 6, allowed unauthorized access to patient and member data. The compromised data encompasses a wide array of personal details, including names, mailing and email addresses, phone numbers, as well as protected health information such as medical record numbers and specifics regarding treatments, diagnoses, medications, imaging, and care. Additionally, stolen records feature health insurance details like policy numbers and member information. While the exact nature of the breach has not been publicly detailed by Episource, Sharp Healthcare, one of its partners affected by the incident, indicated that the breach was a result of a ransomware attack. This incident adds to a series of cybersecurity challenges faced by UnitedHealth in recent years. In February 2024, another significant breach occurred when Change Healthcare, a leading entity in the U.S. healthcare sector, was targeted by a ransomware group, leading to the exposure of data belonging to over 190 million Americans. This event has been labeled as the largest healthcare data breach in U.S. history. Moreover, several months later, an internal chatbot utilized by UnitedHealth’s Optum unit was inadvertently left exposed online, raising further concerns about data security in the organization.