Episource Data Breach 2025 (Optum subsidiary): 6.7M Affected by Ransomware Attack. What Was Stolen and What To Do
The Episource ransomware breach disclosed June 2025 exposed Social Security numbers, diagnoses, prescriptions, test results, and health-plan IDs for 6,725,572 people. Episource is an Optum-owned business associate, so your health plan, not Episource, is notifying you. Here is what was taken and what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 27, 2025
Unauthorized access to Episource network began
Feb 6, 2025
Episource detected unusual activity and contained the intrusion
Apr 23, 2025
Episource began notifying its covered-entity clients (health plans, providers)
Jun 6, 2025
Episource filed with HHS OCR and California Attorney General; first individual letters mailed
Jun 12, 2025
First federal class action filed (Finke v. Episource, 2:25-cv-05330, C.D. Cal.)
Aug 4, 2025
Senate HELP Committee (Cassidy, Hassan) demanded answers from UnitedHealth Group
Jan 27, 2025
Unauthorized access to Episource network began
Feb 6, 2025
Episource detected unusual activity and contained the intrusion
Apr 23, 2025
Episource began notifying its covered-entity clients (health plans, providers)
Jun 6, 2025
Episource filed with HHS OCR and California Attorney General; first individual letters mailed
Jun 12, 2025
First federal class action filed (Finke v. Episource, 2:25-cv-05330, C.D. Cal.)
Aug 4, 2025
Senate HELP Committee (Cassidy, Hassan) demanded answers from UnitedHealth Group
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Episource is a healthcare-technology and services company based in Gardena, California. It is a subsidiary of Optum, which is itself owned by UnitedHealth Group. Episource sells risk-adjustment, medical-coding, and data-analytics services to health plans and provider groups, which means it routinely receives the most sensitive clinical and demographic records its clients hold. It is a HIPAA business associate, not a covered entity, so most of the 6.7 million affected people have no idea Episource exists.
On February 6, 2025, Episource detected unusual activity inside its network. Forensic investigators determined that a criminal actor had unauthorized access between January 27 and February 6, 2025, and copied data out of Episource’s systems during that ten-day window. Episource has not publicly named the threat actor or confirmed the technical nature of the intrusion in its own notification letters, but one of its affected clients, Sharp HealthCare, has stated publicly that the underlying incident was a ransomware attack. No ransomware group has claimed credit on a public leak site as of this writing.
Episource began notifying its covered-entity clients (the health plans and provider groups whose member data it processes) on April 23, 2025. Public regulatory disclosure followed on June 6, 2025, when Episource filed with the U.S. Department of Health and Human Services Office for Civil Rights and the California Attorney General. Individual notification letters were mailed in waves over the following months.
The initial OCR filing covered 5,418,866 individuals. As Episource and its downstream clients completed their record reviews and refiled, the official count rose to 6,725,572 affected people. That refiling is reflected in the current OCR portal entry and makes this one of the two or three largest US healthcare breaches reported in 2025.
Who is notifying you (and why it is your health plan, not Episource)
Episource is a business associate. Under HIPAA, the obligation to notify individuals falls on the covered entity, which is your health plan or provider. That is why the letter in your mailbox may say:
- Anthem Blue Cross
- Horizon Blue Cross Blue Shield of New Jersey
- Sharp HealthCare or Sharp Community Medical Group
- Paramount Healthcare (ProMedica)
- Wellcare
…rather than Episource. The letter typically begins by explaining that “our business associate Episource” experienced an incident, then lists what data of yours Episource had. If you received a letter from one of these plans referencing Episource, you are in the same population this page covers. Additional plans and provider groups are still being added to the public disclosure list as their internal reviews complete.
What was stolen
The exposed dataset is broad and clinically detailed. Across notification letters, Episource and its clients have confirmed the following data elements were potentially copied:
- Full name, mailing address, phone number, email address
- Date of birth
- Social Security number (Episource describes SSN exposure as affecting “limited” individuals rather than the full population)
- Health insurance information: plan name, policy number, member ID, group ID, payer ID
- Medicaid, Medicare, and other government program ID numbers
- Medical record numbers and the names of your treating providers
- Clinical content: diagnoses, prescribed medications, test results, medical images, and treatment notes
Notification letters do not list payment card or bank account information as part of the exposed dataset. The harm shape here is medical identity theft and full-profile identity fraud, not credit-card fraud. The combination of SSN (where exposed) plus full insurance ID plus clinical history is the worst-case dataset for synthetic-identity construction and fraudulent medical billing.
What Episource is offering
Episource is providing 24 months of complimentary credit monitoring and identity-theft protection through IDX (now part of ZeroFox). Affected individuals receive an enrollment code in their notification letter and can sign up online or by phone:
- IDX call center: (877) 786-0549, weekdays
- Enrollment URL (per the original notification letters): the IDX response site referenced in the notice
The enrollment deadline varies by notification cohort, with September 30, 2025 cited in early letters. If your letter arrived later, your deadline is on the letter itself; we recommend enrolling within two weeks of receipt.
Twenty-four months is the longer end of what business associates typically offer. It is also far less time than your Social Security number, date of birth, and Medicare ID will remain valid and exploitable. Treat the IDX enrollment as a floor, not a ceiling.
Class actions and regulatory posture
The first federal class action, Finke v. Episource, LLC, 2:25-cv-05330 (C.D. Cal., filed June 12, 2025), was filed within a week of Episource’s public disclosure. At least a half-dozen additional cases have been filed in the Central District of California, including Gantt v. Episource, LLC, 2:25-cv-05918, and the cases are tracking toward consolidation as In re Episource LLC Data Breach Litigation. The complaints allege that Episource failed to maintain reasonable security commensurate with the volume and sensitivity of the data it processes, and that public notification was delayed beyond what HIPAA and state law require.
Multiple plaintiffs’ firms are actively recruiting affected individuals, including Federman & Sherwood, Edelson Lechtzin LLP, Kantrowitz Goldhamer, Strauss Borrelli, Schubert Jonckheer & Kolbe, Audet & Partners, CaseyGerry, Abington Cole + Ellery, and Dapeer Law.
On the regulatory side, the breach is open on the HHS Office for Civil Rights portal as of this writing, with no public enforcement resolution yet. State Attorney General filings were made in California (June 6, 2025) and several other states. On August 4, 2025, Senate HELP Committee Chairman Bill Cassidy (R-LA) and Senator Maggie Hassan (D-NH) sent a joint letter to UnitedHealth Group demanding answers about detection timeline, notification procedures, and the remediation status of the security improvements UHG promised after the 2024 Change Healthcare attack. The Episource breach is the second nine-figure-impact UHG-family incident in roughly twelve months.
What to do if you received a notification letter
This week:
- Enroll in the IDX credit monitoring. Twenty-four months is the longer end of what is typically offered; use the full window. Call 877-786-0549 or use the enrollment code in your letter.
- Place a free credit freeze at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account identity fraud and is independent of whether you enroll in IDX.
- File IRS Form 14039 (Identity Theft Affidavit) if your Social Security number was listed in your letter. This blocks a fraudulent tax return under your SSN.
- If you are a Medicare beneficiary, call 1-800-MEDICARE and request a new Medicare Beneficiary Identifier. The old MBI gets flagged for fraud monitoring and a replacement card is mailed.
- Review your Explanation of Benefits statements from your health plan for services you did not receive. Medical identity theft surfaces in EOBs weeks after the fraud.
This month:
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.
- Watch for additional letters from other health plans. Episource served many plans, and downstream notification waves are still going out a year after the original disclosure.
Frequently asked questions
Why am I getting a letter from my insurance plan about Episource if I have never heard of Episource?
Episource is a business associate, meaning a vendor that processes data on behalf of your health plan. Under HIPAA, your plan is required to notify you when one of its vendors is breached. Episource handles risk-adjustment and medical coding for many large insurers, so the data it had is broad and detailed.
Is the count 5.4 million or 6.7 million?
Both numbers are correct at different points in time. Episource’s initial HHS OCR filing in June 2025 listed 5,418,866 individuals. Subsequent refiling as downstream health plans completed their reviews raised the count on the OCR portal to 6,725,572. The 6.7M figure is the current authoritative number.
Was this ransomware?
Sharp HealthCare, an affected client, has stated publicly that the underlying Episource incident was a ransomware attack. Episource’s own notification letters describe it as unauthorized access and data exfiltration without using the word “ransomware.” No ransomware group has publicly claimed responsibility on a leak site, and there is no public evidence that Episource’s stolen data has been posted for sale or download.
Should I sue?
At least a half-dozen federal class actions are pending in the Central District of California and are tracking toward consolidation. Multiple plaintiffs’ firms are accepting affected individuals; firms publicly investigating include Federman & Sherwood, Edelson Lechtzin, Kantrowitz Goldhamer, Strauss Borrelli, Schubert Jonckheer & Kolbe, Audet & Partners, CaseyGerry, Abington Cole + Ellery, and Dapeer Law. We are not a law firm and cannot give legal advice. Speak with your own attorney or one of the firms listed above.
Is HealthConsent affiliated with Episource, Optum, UnitedHealth Group, IDX, or any of the named health plans?
No. HealthConsent is an independent health-data privacy service. We are not a customer, partner, or affiliate of any party named on this page.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Episource Cyberattack Affects More Than 5.4 Million Individuals
- TechCrunch: Episource is notifying millions that their health data was stolen
- Cybersecurity Dive: Data breach at healthcare services firm Episource affects 5.4M
- California AG: Episource Individual Notice Letter Template
- Anthem Blue Cross: Episource Substitute Notice (June 2025)
- Paramount Healthcare: HIPAA Substitute Notice on Episource
- Sharp HealthCare: Episode Data Breach Notice
- HIPAA Journal: Senators Demand Answers from UnitedHealth After Second Massive Breach
- Healthcare IT News: Episource ransomware attack leaked patient health data
- Justia Dockets: In re Episource LLC Data Breach Litigation, 2:25-cv-05330 (C.D. Cal.)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.