Episource 2025 Cyberattack Exposes 6.7 Million Patient Records

In one of the largest healthcare data breaches reported in 2026, Episource, a major provider of medical coding and risk adjustment services, disclosed that a cyberattack in early 2025 compromised the protected health information (PHI) of approximately 6.7 million individuals. The breach, reported to the Department of Health and Human Services on June 8, 2026, highlights the ongoing cybersecurity challenges facing healthcare organizations and their business partners.

What Happened

Episource experienced a significant cyberattack in early 2025 that resulted in unauthorized access to systems containing sensitive patient information. While specific details about the attack methodology remain limited in public disclosures, the incident affected millions of individuals whose health information was processed by the company.

The breach was reported over a year after it initially occurred, which is concerning from a HIPAA compliance perspective. Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), covered entities must notify the Department of Health and Human Services of breaches affecting 500 or more individuals within 60 days of discovery.

Episource provides critical healthcare services including:

• Medical coding services
• Risk adjustment solutions
• Healthcare software platforms
• Clinical documentation improvement
• Quality measurement programs

These services require access to vast amounts of patient health information, making the company a high-value target for cybercriminals.

Who Is Affected

The breach impacts approximately 6.7 million individuals whose protected health information was stored or processed by Episource. This includes patients from various healthcare organizations that contracted with Episource for medical coding and risk adjustment services.

Affected individuals may include patients from:

• Health insurance plans
• Healthcare providers
• Government health programs
• Risk adjustment clients

The large scale of this breach places it among the most significant healthcare data incidents in recent years, ranking in the top tier of breaches reported to the HHS Office for Civil Rights.

Breach Details

While complete details about the incident remain under investigation, here's what we know:

• Entity: Episource
• Individuals Affected: 6,700,000
• Breach Type: Cyberattack (specific method undisclosed)
• Date of Incident: Early 2025
• Date Reported to HHS: June 8, 2026
• Business Associate Involvement: No direct business associate reported
• Location: Undisclosed

The delay between the incident occurrence and public reporting raises questions about breach detection capabilities and notification compliance. Under HIPAA's Security Rule (45 CFR § 164.308), covered entities must implement procedures to regularly review information system activity records.

What This Means for Patients

If you received services from a healthcare organization that uses Episource for medical coding or risk adjustment, your information may have been compromised. The types of data potentially accessed in such breaches typically include:

• Personal identifiers (names, addresses, phone numbers)
• Medical record numbers
• Health insurance information
• Medical diagnoses and treatment codes
• Dates of service
• Social Security numbers (in some cases)

Patients should be particularly vigilant about:

1. Identity theft monitoring
2. Medical identity fraud
3. Insurance fraud attempts
4. Phishing communications
5. Unauthorized medical services

How to Protect Yourself

If you believe you may be affected by this breach, take these immediate steps:

Monitor Your Accounts

• Review all medical bills and insurance statements carefully
• Check your credit reports from all three major bureaus
• Monitor bank and credit card statements for unauthorized activity
• Watch for unexpected medical collection notices

Implement Security Measures

• Place fraud alerts on your credit files
• Consider credit freezes for additional protection
• Use strong, unique passwords for all healthcare portals
• Enable two-factor authentication where available

Stay Alert for Scams

• Be suspicious of unsolicited communications asking for personal information
• Verify the legitimacy of any medical billing inquiries
• Don't click links in suspicious emails claiming to be from healthcare organizations
• Report any suspected fraud to your insurance company immediately

Document Everything

• Keep records of all breach notifications received
• Document any suspicious activity you discover
• Maintain copies of correspondence with healthcare providers and insurers

Prevention Lessons for Healthcare Providers

This breach underscores critical cybersecurity lessons for healthcare organizations:

Vendor Risk Management

Healthcare organizations must thoroughly vet business associates and ensure they maintain appropriate security measures. This includes:

• Conducting regular security assessments
• Requiring business associate agreements (BAAs) that meet HIPAA standards
• Implementing ongoing monitoring of third-party security practices
• Establishing clear incident response protocols

Security Infrastructure

Organizations should implement comprehensive security measures including:

• Multi-factor authentication for all system access
• Network segmentation to limit breach impact
• Regular security audits and penetration testing
• Employee cybersecurity training programs
• Incident detection and response capabilities

HIPAA Compliance

The HIPAA Security Rule requires covered entities to:

• Implement administrative safeguards (§ 164.308)
• Establish physical safeguards (§ 164.310)
• Deploy technical safeguards (§ 164.312)
• Ensure business associates provide adequate protections (§ 164.314)

Breach Response Planning

Organizations must be prepared to:

• Detect breaches promptly through monitoring systems
• Investigate incidents thoroughly and quickly
• Notify affected individuals within 60 days
• Report to HHS within 60 days for breaches affecting 500+ individuals
• Coordinate with law enforcement when appropriate

The Episource breach serves as a stark reminder that healthcare data security requires constant vigilance, robust technical controls, and comprehensive risk management strategies. As cyber threats continue to evolve, healthcare organizations must prioritize cybersecurity investments and ensure their business partners maintain equally strong protections.

For healthcare providers looking to strengthen their HIPAA compliance and cybersecurity posture, professional guidance can be invaluable in implementing effective protection strategies and avoiding costly breaches.

Learn how HIPAA Agent can help protect your practice.