Stolen identities a fear after Episource breach affects 5.4M patients

Now that it’s been reported that UnitedHealth Group-owned services company Episource sent letters to customers July 11 about a third-party data breach involving sensitive patient data, security experts said one of the real dangers lies in the potential stolen identities of patients.

“The compromised data may include detailed medical histories linked to real identities — something much more valuable and harder to change than a credit card number,” said Preston Duren, vice president of threat services at Fortified Health Security.

News of the Episource breach raise some eyebrows in the security industry because Episource was owned by UnitedHealth’s Optum, which was at the center of the high-profile Change Healthcare breach last year.

Fortified Health Security's Duren pointed out that while Episource isn’t a household name, it’s deeply embedded in healthcare operations, adding that a breach here means attackers may now have an entry point into a much wider healthcare ecosystem, including insurance claims, provider networks, and patient care pathways.

The Episource breach became more widely known on June 6, when Episource told the U.S. Department of Health and Human Services that the breach affected 5,418,866 people. Episource, which was acquired by UnitedHealth’s subsidiary Optum in 2023, posted on its website that it first learned of the breach on Feb. 6, 2025.

In its letter to customers, Episource said that the sensitive healthcare data potentially stolen included the following:

Health insurance data, such as health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.

Health data, including medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment)

Other personal data, such as Social Security number or dates of birth.

While Episource did not disclose the breach as a ransomware incident, it was reported that one of its customers, Sharp HealthCare, confirmed it was one of the customers affected by a ransomware data breach via Episource.

It should be noted that under HIPPA regulations, Episource is not required to report the specific nature of the incident — in this case ransomware — only that a cybersecurity incident took place.

Nic Adams, co-founder and CEO of 0rcus, said the danger transcends simple financial identity theft. For healthcare consumers, Adams said the risk is the creation of a permanent, weaponizable digital dossier.

“Don't think of it as just a credit card number that can be canceled because it is a person's complete medical history: diagnoses, medications, procedures, and potentially genetic markers,” said Adams. “Sensitive information can be used for precision-targeted social engineering attacks, sophisticated blackmail, and long-term discrimination in areas like life insurance or employment, regardless of current legal protections.”

Adams added that while specific details on the intrusion vector are not yet public, these events almost always trace back to a few common engineering failures.

“The most probable culprits are insecure APIs connecting to health plan systems, a failure to patch a known vulnerability in a third-party software library, misconfigured cloud storage assets like an Amazon S3 bucket, or a successful spear-phishing campaign against an employee with privileged access to production data,” said Adams.