Episource data breach affects 5.4M individuals

Episource, a vendor that provides risk adjustment and medical coding services to health plans and providers, suffered a ransomware attack that resulted in a 5.4-million-record data breach. The breach is the second-largest reported to HHS in 2025, so far.

According to a notice posted on Episource's website, the company found unusual activity in its computer systems on Feb. 6, 2025, and immediately contacted law enforcement. Further investigation revealed that a cybercriminal had accessed Episource systems between Jan. 27, 2025, and Feb. 6, 2025, and copied some of its data.

Episource began notifying customers about the breach on April 23, 2025. The data involved in the breach varied by individual but included some combination of name, address, phone number, email, health insurance data, medical record numbers, treatment information and other sensitive data, such as Social Security numbers.

"We have taken several steps to mitigate and help prevent events like this from happening in the future. We investigated and called law enforcement," Episource stated. "We are also making our computer systems even stronger than before."

San Diego-based Sharp Healthcare was one of the impacted Episource customers. Sharp Healthcare issued a breach notice to nearly 25,000 individuals associated with its health system, as well as 2,000 individuals associated with Sharp Community Medical Group.

Sharp Healthcare said that Episource notified the health system of the breach in April 2025. Sharp Healthcare and Episource both reported that they are not aware of any misuse of the breached data.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.