5.4 million patients have data exposed in latest healthcare mega-breach

Another day, another data breach. This time, we add 5.4 million patients to the tally of people who have had sensitive data exposed due to unauthorized access to protected health information. 

Episource, a provider of coding and risk adjustment services to health systems and health plans, announced that the event took place early in the winter of 2025, after the company identified “unusual activity” in its computer systems. 

“We began investigating right away and hired a special team to help us,” the company said in its breach notification.  “We also called law enforcement.  We turned off our computer systems to help protect the customers we work with and their patients and members.” 

Despite these actions, a bad actor was able to access the protected information of approximately 5.4 million people, according to records from the Office of Civil Rights, during the time period between January 27, 2025, and February 6, 2025. 

While Episource states that they are not aware of any misuse of the data thus far, the exposed elements could certainly be used in troublesome ways against the victims. According to the company, the stolen data may include: 

• Contact information (such as name, address, phone number and email) 

• Health insurance data such as health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers 

• Health data such as medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment 

• Other personal data such as Social Security number (in limited instances) or date of birth 

Episource began notifying customers of the incident in April and submitted the event to HHS in early June. Affected individuals are being offered the customary credit monitoring services for two years. 

The breach comes at a challenging inflection point for cybersecurity in healthcare. Large scale breaches continue to slam the industry even as experts hotly debate the merits of bulking up the HIPAA Security Rule and Congress considers whether to reauthorize the CISA 2015 safeguards for private companies reporting data breaches.   

Meanwhile, a recent executive order that scales back certain cybersecurity requirements for the federal government and its contractors could have ripple effects across the private sector if Congress and HHS take it as guidance for their future decision-making. 

No matter what the rules say, however, healthcare organizations will need to continue exploring more robust methods of protecting their infrastructure from cybercriminals, who aren’t waiting around to see what happens in the convoluted regulatory environment. 

With nearly 90% of healthcare organizations vulnerable to cyberattacks in one way or another, and investment in cybersecurity still falling short of the industry’s real-world needs, it will be essential for leaders to take a strong and proactive stance toward implementing safeguards that may prevent them from being the next mega-breach headline. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].