Episource
Data Breach Class Action Lawsuit

Posted: July 16, 2025 -- Attention, victims of the Episource data breach.

Abington Cole + Ellery is investigating the data breach recently announced by Episource.

Episource Data Breach Summary:

Approximately 5.4 million individuals were affected by the Episource data breach, and breached data may include, but is not necessarily limited to: name, date of birth, Social Security number, address, email address, phone number, insurance plan data, and medical data.

In early 2025, Episource LLC – a healthcare data services provider owned by UnitedHealth Group’s Optum division – suffered a data breach resulting from a cyberattack on its network. Unauthorized access to Episource’s systems occurred over roughly ten days between January 27 and February 6, 2025. The breach was discovered on February 6, when suspicious activity was detected, prompting Episource to immediately shut down its computer systems to contain the intrusion and engage third-party cybersecurity experts to investigate. Law enforcement was also notified at that time. While Episource’s initial public notices did not specify the nature of the attack, a client disclosure later confirmed that this incident was caused by a ransomware attack that allowed the hacker to view and copy data from Episource’s servers.

During the breach, the attacker was able to access and exfiltrate a broad range of sensitive data from Episource’s systems. The stolen information included personal identifiers such as names, postal addresses, email addresses, phone numbers, and dates of birth, as well as extensive protected health information. Compromised health data encompassed medical record numbers and details of patients’ care – including the names of treating doctors, diagnoses, medications, lab test results, imaging, and other treatment information. In addition, health insurance-related details were exposed, like patients’ health plan names, policy or group numbers, and member identification numbers. In total, the breach affected the records of over 5.4 million individuals across the United States. This made the Episource incident one of the largest healthcare data breaches reported in 2025. The victims span multiple healthcare organizations that used Episource as a business associate; for example, Sharp HealthCare in California confirmed that about 25,000 of its patients were among those impacted by the Episource breach.

Episource’s official response to the breach involved both notifying authorities and offering support to affected parties. The company reported the incident to regulators as required by law, including filing notices with state attorneys general and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. (The HHS breach portal entry for Episource lists approximately 5.4 million individuals affected.) State-level notices were submitted in the months after the attack – for instance, California’s Attorney General was informed by early June 2025, and a filing with the Texas Attorney General indicated over 24,000 Texas residents were impacted. Episource also alerted its client organizations and began sending out individual notification letters to patients starting in April 2025, once the scope of compromised data was determined. In these notices, the company advised that it had no evidence of misuse of the data so far and offered complimentary credit monitoring and identity theft protection to those affected. Episource stated that it has taken steps to strengthen its cybersecurity safeguards to prevent similar incidents in the future. Law enforcement investigations and regulatory reviews are ongoing, given the scale of the breach and the sensitive medical information involved, though no specific enforcement actions have been publicly announced as of mid-2025.

As a result of the data breach, Episource is offering free credit monitoring and/or identity theft protection services to some affected individuals.

Additional information about the Episource data breach may be found here: Episource NOTICE OF DATA BREACH. The Episource Website may also have additional information about or provide periodic updates regarding the data breach.

About Episource:

Episource is a healthcare technology company that focuses on risk adjustment and quality management solutions primarily for healthcare organizations. The company's headquarters are in California, and it serves clients including health plans, provider groups, and integrated healthcare systems. Episource's core operations involve providing services such as medical record reviews, data analytics, coding support, and submission services, which help organizations manage patient data and reporting requirements for regulatory compliance.

The company's technology platform incorporates artificial intelligence and data analytics tools to assist healthcare providers in handling large sets of patient data. Episource emphasizes accuracy in risk adjustment coding to comply with regulatory frameworks, including Medicare and Medicaid requirements. Additionally, Episource delivers services related to quality improvement programs, population health management, and clinical data validation, supporting healthcare providers in meeting reporting standards and optimizing reimbursement accuracy.

Episource has expanded its presence through various collaborations and partnerships within the healthcare industry. It maintains an international workforce and operates additional offices outside its California headquarters. The company participates actively in industry discussions around healthcare policy, data management standards, and technology integration, providing expert commentary on developments related to healthcare data analytics and compliance requirements.

For more information about steps you can take to possibly reduce the chances harm arising from a data breach, please review the following article: What are some steps you can take if you've been the victim of a data breach?

If you believe you are a victim of the Episource data breach, and if you would like to volunteer to serve as a class representative in a class action lawsuit regarding this data breach, please submit your information via the form on this webpage. This website is not associated with nor authorized by Episource or any affiliated companies. If you have received any other data breach notifications, you may to review Abington Cole + Ellery's current list of data breach investigations.