Full Report
California-based Episource disclosed in filings with the U.S. Department of Health and Human Services that more than 5.4 million people had their information taken in a breach discovered in February.
Analysis Summary
# Incident Report: Episource Data Breach Affecting 5.4 Million Individuals
## Executive Summary
A significant data breach was discovered at Episource, a healthcare technology firm, resulting in the exfiltration of sensitive information belonging to over 5.4 million individuals. The compromise window spanned from late January to early February 2025. Episource responded by involving law enforcement and temporarily shutting down affected computer systems to protect patient data.
## Incident Details
- **Discovery Date:** Early February 2025
- **Incident Date:** Between January 27 and February 6, 2025
- **Affected Organization:** Episource (a subsidiary of Optum/UnitedHealth)
- **Sector:** Healthcare Technology
- **Geography:** California-based (US reporting)
## Timeline of Events
### Initial Access
- **Date/Time:** On or shortly before January 27, 2025
- **Vector:** Unspecified hacking activity.
- **Details:** Attackers gained unauthorized access to Episource's systems and began copying files.
### Lateral Movement
- **Details:** Not explicitly detailed in the available information, but the scope of data extraction suggests successful activity within the environment.
### Data Exfiltration/Impact
- **Details:** Attackers successfully copied sensitive files between January 27 and February 6, 2025. Affected data included Social Security numbers, health insurance ID numbers, Medicaid-Medicare ID numbers, and detailed medical records (doctor visits, diagnoses, test results, care/treatment).
### Detection & Response
- **Details:** Incident discovered in early February 2025. Law enforcement was engaged, and Episource was forced to turn off its computer systems to protect customer and patient data. Customers (like Sharp Healthcare) are issuing individual breach notifications.
## Attack Methodology
- **Initial Access:** Unspecified vulnerability/method exploited between Jan 27 and Feb 6.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Likely internal reconnaissance to locate high-value patient data systems.
- **Lateral Movement:** Not specified.
- **Collection:** Targeting extensive patient and member databases containing PII and PHI.
- **Exfiltration:** Copying of files containing personal and medical information.
- **Impact:** Mass exposure of highly sensitive personal and protected health information (PHI).
## Impact Assessment
- **Financial:** Costs associated with investigation, remediation, and notification (not yet quantified, but significant given the scale).
- **Data Breach:** Over 5,418,866 individuals affected. Data included SSNs, health insurance IDs, Medicaid/Medicare IDs, and detailed medical records.
- **Operational:** Company systems were forced offline as a defensive measure.
- **Reputational:** Significant reputational damage to Episource and its parent company, Optum/UnitedHealth, especially given prior breaches.
## Indicators of Compromise
- *Note: Specific technical IOCs (IPs, hashes) were not mentioned in the summary.*
- **Behavioral indicators:** Unauthorized bulk file copying activity occurring between Jan 27 and Feb 6, 2025.
## Response Actions
- **Containment measures:** Forced shutdown of computer systems.
- **Eradication steps:** Not specified, assumed ongoing as part of the investigation.
- **Recovery actions:** Working with customers to coordinate victim notification; setting up a call line for affected individuals.
## Lessons Learned
- Episource has now experienced two significant data breaches involving similar sensitive data in consecutive years (2023 and 2025), indicating recurring vulnerabilities in data protection controls or maturity.
- The security posture of third-party vendors handling massive amounts of PHI remains a critical systemic risk (especially relevant following the Optum/Change Healthcare incident).
## Recommendations
- Conduct a comprehensive, independent forensic audit of Episource's infrastructure to determine the root cause of initial access and identify all persistence mechanisms and lateral movement paths utilized by the threat actors.
- Review and significantly enhance data minimization policies; ensure PHI and PII are segmented, encrypted at rest, and access restricted to the "need-to-know" basis across all environments.
- Implement stronger preventative security controls, including network segmentation and advanced endpoint detection and response (EDR), to rapidly detect and stop bulk data staging and exfiltration attempts.