Episource Data Breach Impacts 5.4 Million People: SSNs Exposed

Update (Dec. 31, 2025): A filing with the Oregon Attorney General has disclosed a total of 6,584,876 people have been affected in the breach.

Between January 27, 2025, and February 6, 2025, Episource, LLC, a provider of risk adjustment services for the healthcare industry, experienced a major data breach affecting several thousand individuals. The cybersecurity incident exposed both personally identifiable information (PII) and protected health information (PHI).

The breach was discovered on February 6, 2025, when Episource detected unusual activity in its computer systems. An investigation determined that a cybercriminal had gained unauthorized access and was able to view and copy sensitive data stored on Episource’s systems during this period.

The cybersecurity incident was disclosed to the U.S. Department of Health and Human Services on June 6, 2024, reporting 5,418,866 individuals affected by the breach. Affected individuals includes 337,982 Texas residents, 60,874 in Washington, 400 Montana residents, 50 in Massachusetts and five in New Hampshire.

The data breach was also disclosed the California Attorney General's office on June 6, 2025 and to the Texas, Massachusetts, Vermont, Montana, Washington and New Hampshire Attorney Generals' offices beginning on June 10, 2025. Episource published a Notice of Data Breach on a dedicated response website on April 23, 2025.

Information exposed is extensive and may include names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, health insurance information (health plans, policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers), medical record numbers, diagnoses, names of doctors, prescribed medications, test results, images and care and treatment details.

Episource's response

Episource took steps to contain the incident by shutting down affected computer systems and notifying law enforcement. On April 23, 2025 Episource began notifying customers with information about which individuals may have been impacted.

If you receive notification from Episource or your provider about this breach, you may want to:

• Sign up for the free IDX identity theft protection services, offered by Episource.
• Monitor your credit reports and financial accounts for any unusual activity.
• Be alert for phishing emails or phone calls that may use your exposed information.
• Consider placing a fraud alert or credit freeze with major credit bureaus.

For affected individuals with questions, Episource has set up a call center at 877-786-2549, Monday through Friday, 8 a.m. to 8 p.m. CT.

To learn more about the company, visit the Episource website.