Episource, a medical billing organization, has notified individuals that their personal and health data was stolen in a cyberattack. According to a listing from the United States Department of Health and Human Services, this breach affects 5.4 million individuals. 

Earlier this year, in a week long breach ending February 6, 2025, a malicious actor was able to access and copy patient and member data from the organization’s systems. The stolen data includes: 

• Doctor data
• Medical records
• Diagnoses and test results 
• Medications
• Imaging
• Care details and other treatment
• Health insurance information 

While the organization did not specify the nature of the cyberattack, Sharp Healthcare (an organization that works with Episource and was affected by the attack) revealed that it was a ransomware incident. 

Below, security leaders discuss implications, key takeaways and more about this incident. 

Security Leaders Weigh In

Mr. Piyush Pandey, CEO at Pathlock:

This breach signals that threat actors are shifting their focus from hospitals and clinics to third-party providers, because this approach allows them to get access to massive amounts of PHI at a time. Once adversaries get their hands on this data, they can misuse it for many years ahead for highly personalized scams and blackmail campaigns. A breach of this scale drives compliance risks and more stringent regulatory scrutiny for every entity in the healthcare supply chain.

Ms. Nivedita Murthy, Senior Staff Consultant at Black Duck:

Episource, the software and infrastructure behind Optum Pharmacy, suffered a data breach when attackers gained access to its network and systems, extracting sensitive information over 11 days. Concerningly, the breach exposed medical information, including diagnosis and test data, compromising patient confidentiality which could be used for nefarious purposes.

Key takeaways from this incident include the need to encrypt customer data, restrict access, and monitor for suspicious activity. Any access to this information should be monitored and alerts should be set up in case any of data being moved out of the network. Continuous network monitoring and audits are also crucial to prevent similar breaches and to ensure that there are no gaps in security and uncompromised trust in the software. While Episource is offering credit monitoring and identity protection services, United Health customers should remain vigilant and closely monitor their claims to prevent misuse, as these services may not detect fraudulent medical claims in a timely manner. 

Guru Gurushankar, Senior Vice President & GM, Healthcare and Life Sciences at ColorTokens:

Episource provides Risk Adjustment solutions, quality metrics reports, compliance with Healthcare Effectiveness Data and Information Set (HEDIS) and Medicare star ratings, clinical services (chart abstraction, medical coding, etc.), and other technology solutions to process medical records and identify gaps in care and/or coding.

The breach earlier this year resulted in exfiltration of 5.5M of sensitive patient data — including all personal details, SSN, and insurance details. There has been no mention of any ransom demand. This could have easily escalated to become a ransom scenario where the business operations of Episource could have been brought to a complete standstill.

This incident once again highlights the necessity of preventing unauthorized lateral movement within one’s network. This is critical for healthcare organizations to maintain their digital operational resilience in the face of relentless cyberattacks, and it does not appear that there will be any letup from these attacks moving forward. In other words, organizations have to become breach-ready — this is essential to survival.

Episource was also a target of an earlier minor breach in 2023. A solution to prevent lateral movement would be an ideal solution to contain breaches. Lateral movement prevention solutions are needed, in addition to other perimeter-based defenses, to bring this increasing menace under control.

James Maude, Field CTO at BeyondTrust:

Healthcare delivery today depends on a vast ecosystem of IT, OT and medical devices supplied and managed by third-party vendors. Electronic Health Record (EHR) support teams, medical device manufacturers, billing partners, tele-health platforms, and more, to keep systems running and patients cared for. Often the devices and systems were not built with security or modern connectivity in mind, their long lifespans have surpassed the operating systems that run them meaning they can’t be patched but keeping them operational remains a matter of life and death.

Every device and external connection in this ecosystem represents a potential entry point for attackers. This toxic combination of vulnerabilities and access is a prime example of why healthcare has become such attractive targets for attackers. The FDA has recently called for “Secure-by-design” practices to be implemented but with lifespans of 5 to 15+ years for medical devices the problems won’t be cured overnight.

Healthcare has been historically less prepared for cyber risks than other industries and attackers are increasingly taking advantage of this with HIPAA recording 677 major healthcare breaches in 2024, hacking being the dominant cause. The security challenges extend beyond the healthcare providers themselves with almost a third of breaches (32.2%) involving the compromise of third parties. Ransomware, once a rare occurrence in healthcare is now on the top of most providers agenda as legacy remote access solutions provide a quick entry point to land and expand with severe consequences.

This complex landscape of vulnerable devices and third party remote access creates an urgent need for a coordinated Privileged Remote Access (PRA) strategy. Traditional VPN solutions used by many in healthcare to allow access to systems and devices are at best unsuitable and at worst an exploitable attack vector. A number of healthcare breaches have involved the direct exploitation of VPNs or have used VPN access via compromised credentials to inflict damage. 

By enforcing Privileged Remote Access built on least-privilege principles, organizations can grant vendors, suppliers and remote workers only the access and privilege they need, and only for the duration of their work, dramatically reducing over-entitlement and shrinking the attack surface. No more broad access to the network, no more standing privileges waiting to be exploited.

VPNs were designed to connect entire networks and don’t offer the fine-grained capabilities (scope, timing, approval etc.) that is needed to truly be effective in controlling remote access risks. Also, given the sensitive nature of the data at stake, comprehensive auditing and logging every keystroke, command, and file transfer in immutable records, are required to give the full audit trail and visibility need to satisfy HIPAA and HITECH compliance audits or to investigate any suspicious activity.

Modern healthcare organizations are also incorporating real-time session monitoring with their security tooling to perform behavioral analytics and generate automated alerts. Any anomalous vendor behaviors, such as unusual file exports or unexpected command-line launches, are detected and halted before they can escalate into breaches. By combining least-privilege access controls, granular session recording, and proactive monitoring, healthcare organizations can maintain the critical third-party support they depend on while safeguarding patient data and fortifying their regulatory posture.

When it comes to protecting healthcare systems both young and old prevention is the best medicine. By implementing a privileged remote access strategy we can eliminate those common entry points for infection, build cyber resilience and focus on patient health.