Active breach tracker Gardena, California Disclosed June 6, 2025

Episource Data Breach 2025 (Optum subsidiary): 6.7M Affected by Ransomware Attack. What Was Stolen and What To Do

The Episource ransomware breach disclosed June 2025 exposed Social Security numbers, diagnoses, prescriptions, test results, and health-plan IDs for 6,725,572 people. Episource is an Optum-owned business associate, so your health plan, not Episource, is notifying you. Here is what was taken and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 27, 2025

Unauthorized access to Episource network began

Feb 6, 2025

Episource detected unusual activity and contained the intrusion

Apr 23, 2025

Episource began notifying its covered-entity clients (health plans, providers)

Jun 6, 2025

Episource filed with HHS OCR and California Attorney General; first individual letters mailed

Jun 12, 2025

First federal class action filed (Finke v. Episource, 2:25-cv-05330, C.D. Cal.)

Aug 4, 2025

Senate HELP Committee (Cassidy, Hassan) demanded answers from UnitedHealth Group

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number (in limited instances)

02

Health records

Don't expire and can't be reissued

Medical record numbers Diagnoses and treatment information Prescription / medication data Test results and medical images

03

Contact & insurance

Phishing + targeted scams

Full name Mailing address, phone number, email address Health insurance plan, policy, member and group ID numbers Medicaid / Medicare / government payer ID numbers Treating provider names

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood Edelson Lechtzin LLP Kantrowitz, Goldhamer, Graifman, Perlmutter & Carballo, P.C. Strauss Borrelli PLLC Schubert Jonckheer & Kolbe Audet & Partners CaseyGerry Abington Cole + Ellery Dapeer Law, P.A.
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Episource is a healthcare-technology and services company based in Gardena, California. It is a subsidiary of Optum, which is itself owned by UnitedHealth Group. Episource sells risk-adjustment, medical-coding, and data-analytics services to health plans and provider groups, which means it routinely receives the most sensitive clinical and demographic records its clients hold. It is a HIPAA business associate, not a covered entity, so most of the 6.7 million affected people have no idea Episource exists.

On February 6, 2025, Episource detected unusual activity inside its network. Forensic investigators determined that a criminal actor had unauthorized access between January 27 and February 6, 2025, and copied data out of Episource’s systems during that ten-day window. Episource has not publicly named the threat actor or confirmed the technical nature of the intrusion in its own notification letters, but one of its affected clients, Sharp HealthCare, has stated publicly that the underlying incident was a ransomware attack. No ransomware group has claimed credit on a public leak site as of this writing.

Episource began notifying its covered-entity clients (the health plans and provider groups whose member data it processes) on April 23, 2025. Public regulatory disclosure followed on June 6, 2025, when Episource filed with the U.S. Department of Health and Human Services Office for Civil Rights and the California Attorney General. Individual notification letters were mailed in waves over the following months.

The initial OCR filing covered 5,418,866 individuals. As Episource and its downstream clients completed their record reviews and refiled, the official count rose to 6,725,572 affected people. That refiling is reflected in the current OCR portal entry and makes this one of the two or three largest US healthcare breaches reported in 2025.

Who is notifying you (and why it is your health plan, not Episource)

Episource is a business associate. Under HIPAA, the obligation to notify individuals falls on the covered entity, which is your health plan or provider. That is why the letter in your mailbox may say:

  • Anthem Blue Cross
  • Horizon Blue Cross Blue Shield of New Jersey
  • Sharp HealthCare or Sharp Community Medical Group
  • Paramount Healthcare (ProMedica)
  • Wellcare

…rather than Episource. The letter typically begins by explaining that “our business associate Episource” experienced an incident, then lists what data of yours Episource had. If you received a letter from one of these plans referencing Episource, you are in the same population this page covers. Additional plans and provider groups are still being added to the public disclosure list as their internal reviews complete.

What was stolen

The exposed dataset is broad and clinically detailed. Across notification letters, Episource and its clients have confirmed the following data elements were potentially copied:

  • Full name, mailing address, phone number, email address
  • Date of birth
  • Social Security number (Episource describes SSN exposure as affecting “limited” individuals rather than the full population)
  • Health insurance information: plan name, policy number, member ID, group ID, payer ID
  • Medicaid, Medicare, and other government program ID numbers
  • Medical record numbers and the names of your treating providers
  • Clinical content: diagnoses, prescribed medications, test results, medical images, and treatment notes

Notification letters do not list payment card or bank account information as part of the exposed dataset. The harm shape here is medical identity theft and full-profile identity fraud, not credit-card fraud. The combination of SSN (where exposed) plus full insurance ID plus clinical history is the worst-case dataset for synthetic-identity construction and fraudulent medical billing.

What Episource is offering

Episource is providing 24 months of complimentary credit monitoring and identity-theft protection through IDX (now part of ZeroFox). Affected individuals receive an enrollment code in their notification letter and can sign up online or by phone:

  • IDX call center: (877) 786-0549, weekdays
  • Enrollment URL (per the original notification letters): the IDX response site referenced in the notice

The enrollment deadline varies by notification cohort, with September 30, 2025 cited in early letters. If your letter arrived later, your deadline is on the letter itself; we recommend enrolling within two weeks of receipt.

Twenty-four months is the longer end of what business associates typically offer. It is also far less time than your Social Security number, date of birth, and Medicare ID will remain valid and exploitable. Treat the IDX enrollment as a floor, not a ceiling.

Class actions and regulatory posture

The first federal class action, Finke v. Episource, LLC, 2:25-cv-05330 (C.D. Cal., filed June 12, 2025), was filed within a week of Episource’s public disclosure. At least a half-dozen additional cases have been filed in the Central District of California, including Gantt v. Episource, LLC, 2:25-cv-05918, and the cases are tracking toward consolidation as In re Episource LLC Data Breach Litigation. The complaints allege that Episource failed to maintain reasonable security commensurate with the volume and sensitivity of the data it processes, and that public notification was delayed beyond what HIPAA and state law require.

Multiple plaintiffs’ firms are actively recruiting affected individuals, including Federman & Sherwood, Edelson Lechtzin LLP, Kantrowitz Goldhamer, Strauss Borrelli, Schubert Jonckheer & Kolbe, Audet & Partners, CaseyGerry, Abington Cole + Ellery, and Dapeer Law.

On the regulatory side, the breach is open on the HHS Office for Civil Rights portal as of this writing, with no public enforcement resolution yet. State Attorney General filings were made in California (June 6, 2025) and several other states. On August 4, 2025, Senate HELP Committee Chairman Bill Cassidy (R-LA) and Senator Maggie Hassan (D-NH) sent a joint letter to UnitedHealth Group demanding answers about detection timeline, notification procedures, and the remediation status of the security improvements UHG promised after the 2024 Change Healthcare attack. The Episource breach is the second nine-figure-impact UHG-family incident in roughly twelve months.

What to do if you received a notification letter

This week:

  1. Enroll in the IDX credit monitoring. Twenty-four months is the longer end of what is typically offered; use the full window. Call 877-786-0549 or use the enrollment code in your letter.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account identity fraud and is independent of whether you enroll in IDX.
  3. File IRS Form 14039 (Identity Theft Affidavit) if your Social Security number was listed in your letter. This blocks a fraudulent tax return under your SSN.
  4. If you are a Medicare beneficiary, call 1-800-MEDICARE and request a new Medicare Beneficiary Identifier. The old MBI gets flagged for fraud monitoring and a replacement card is mailed.
  5. Review your Explanation of Benefits statements from your health plan for services you did not receive. Medical identity theft surfaces in EOBs weeks after the fraud.

This month:

  1. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.
  2. Watch for additional letters from other health plans. Episource served many plans, and downstream notification waves are still going out a year after the original disclosure.

Frequently asked questions

Why am I getting a letter from my insurance plan about Episource if I have never heard of Episource?

Episource is a business associate, meaning a vendor that processes data on behalf of your health plan. Under HIPAA, your plan is required to notify you when one of its vendors is breached. Episource handles risk-adjustment and medical coding for many large insurers, so the data it had is broad and detailed.

Is the count 5.4 million or 6.7 million?

Both numbers are correct at different points in time. Episource’s initial HHS OCR filing in June 2025 listed 5,418,866 individuals. Subsequent refiling as downstream health plans completed their reviews raised the count on the OCR portal to 6,725,572. The 6.7M figure is the current authoritative number.

Was this ransomware?

Sharp HealthCare, an affected client, has stated publicly that the underlying Episource incident was a ransomware attack. Episource’s own notification letters describe it as unauthorized access and data exfiltration without using the word “ransomware.” No ransomware group has publicly claimed responsibility on a leak site, and there is no public evidence that Episource’s stolen data has been posted for sale or download.

Should I sue?

At least a half-dozen federal class actions are pending in the Central District of California and are tracking toward consolidation. Multiple plaintiffs’ firms are accepting affected individuals; firms publicly investigating include Federman & Sherwood, Edelson Lechtzin, Kantrowitz Goldhamer, Strauss Borrelli, Schubert Jonckheer & Kolbe, Audet & Partners, CaseyGerry, Abington Cole + Ellery, and Dapeer Law. We are not a law firm and cannot give legal advice. Speak with your own attorney or one of the firms listed above.

Is HealthConsent affiliated with Episource, Optum, UnitedHealth Group, IDX, or any of the named health plans?

No. HealthConsent is an independent health-data privacy service. We are not a customer, partner, or affiliate of any party named on this page.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.