Episource, a healthcare technology firm owned by UnitedHealth, has confirmed that it suffered a ransomware attack earlier this year. The February attack led to a data breach that exposed patient records to hackers. The company has now started notifying affected individuals.
According to a notice posted this week, an investigation found that hackers accessed sensitive data stored on Episource servers. The breach lasted about nine days, from January 27 to February 6. Episource reported the incident to authorities at the time. The investigation wrapped up earlier this month, though preliminary warnings had already been sent to customers in April.
Episource provides data analytics tools that help healthcare providers and insurers with billing and revenue cycle management. Because of this role, it has access to sensitive patient information.
The company said data taken in the attack likely includes patient contact details, insurance and health plan information, member IDs, and Medicaid and Medicare IDs. Health records such as diagnoses, procedures, test results, medical images, and treatments may also have been stolen. In some cases, Social Security numbers and dates of birth could have been exposed, as they are typically included in medical claims.
Financial and banking data, including payment cards, were mostly not affected.
Episource said nearly 5.5 million people are impacted, based on numbers submitted to the federal healthcare data breach tracker.
The company advised patients to stay vigilant. It urged them to monitor health plan benefit statements, healthcare provider bills, credit reports, bank accounts, and tax returns for any suspicious activity. If patients see unfamiliar healthcare services listed, they should contact their health plan or doctor right away.
Episource said it has strengthened its security systems since the breach and continues to work with law enforcement. So far, no hacker group has claimed responsibility, and no stolen data has been found on the dark web.
