5.4 million
Individuals affected
OCR investigation ongoing; class actions filed
Total cost
EpiSource (Optum / UnitedHealth subsidiary)
Ransomware actor maintained network access for 10 days, exfiltrating patient files for ~5.4 million individuals
EpiSource — a medical-coding subsidiary in the UnitedHealth Group portfolio — disclosed in 2025 that a ransomware group had access to its network from January 27 through February 6, 2025. The attacker accessed files containing names, addresses, dates of birth, Social Security numbers, member IDs, and diagnosis and treatment details for approximately 5,418,866 individuals. Notification letters began in mid-2025; the OCR Breach Portal listing remains in active investigation. The breach lands inside the same parent organization as the 2024 Change Healthcare incident, intensifying scrutiny of UHG vendor security posture across the federation.
What went wrong
- Insufficient identity-management controls on remote access (post-Change Healthcare lesson not propagated)
- 10-day attacker dwell time before detection — long enough for full data exfiltration
- Patient sensitive identifiers (SSN, DOB, diagnoses) stored in attacker-accessible layer
- Notification timeline approached the HIPAA Breach Notification Rule outer limit
Key lessons
- A single parent organization's lessons must propagate across all subsidiaries
- Identity-management gaps remain the primary lateral-movement vector
- Pre-staged forensic readiness shortens dwell-time discovery windows
- Segment subsidiaries' data stores from each other for blast-radius containment