Episource Data Breach Affects Over 5.4 Million Patients Featured
Class action filed after California-based healthcare firm admits cyberattack exposed sensitive patient records.
A massive data breach at healthcare technology company Episource, LLC has exposed the personal and medical information of more than 5.4 million individuals. The breach, discovered in February 2025, has led to growing concerns about healthcare data security and has already prompted a class action lawsuit.
Episource LLC, is a California-based healthcare technology company that provides risk adjustment, medical coding, and data analytics services to health plans.
What Happened?
Episource detected suspicious activity in its systems on February 6, 2025. Investigations revealed that hackers had gained unauthorized access and exfiltrated sensitive data between January 27 and February 6. In response, the company shut down systems, launched an internal investigation, brought in cybersecurity experts, and notified law enforcement.
Although the breach was discovered in early February, notification letters were not sent until June 2025, prompting criticism over the delayed response.
What Information Was Stolen?
Episource confirmed that the compromised data varies by individual, but may include:
- Full names, addresses, phone numbers, and email addresses
- Dates of birth and, in some cases, Social Security numbers
- Health insurance data, including plan and member ID numbers
- Medical records: diagnoses, treatments, prescriptions, test results, imaging, and more
This information is considered both Personally Identifiable Information (PII) and Protected Health Information (PHI), placing victims at heightened risk for identity theft and medical fraud.
What Is Episource Doing to Protect My Identity?
Episource took steps to contain the incident by shutting down affected computer systems and notifying law enforcement. On April 23, 2025 Episource began notifying customers with information about which individuals may have been impacted.
Episource has offered two years of free credit monitoring to affected individuals and encouraged victims to monitor financial, medical, and tax accounts for unusual activity. The company has also stated that it is working with clients to provide breach notifications and has implemented security enhancements in response to the attack.
However, the delayed public disclosure and the breadth of compromised information have led many to question whether the company did enough to protect the data.
Why Does This Matter?
This breach is part of a disturbing trend in the healthcare sector, where cyberattacks are increasingly targeting companies that store rich troves of medical and personal data. Healthcare data is highly valuable on the dark web, often selling for much more than credit card numbers.
A class action lawsuit, alleges that Episource failed to implement reasonable data protection measures, did not encrypt sensitive data, and violated HIPAA and federal trade practices. Plaintiffs claim ongoing harm and increased risk of identity theft.
Protect Your Identity
If you received a notification letter from Episource, it is important to understand the serious risks associated with the exposure of your private information and to take immediate action.
- Enroll in any free credit monitoring services offered
- Place fraud alerts or security freezes on your credit reports
- Monitor health insurance claims and medical statements
- Report suspicious activity to authorities immediately
Join the Episource Data Breach Class Action
Those affected by the Episource data breach, may be eligible to join a class action lawsuit. Victims are seeking compensation for damages including time spent monitoring accounts, risk of identity theft, and emotional distress.