A medical billing company tied to UnitedHealth has suffered one of the year’s largest healthcare breaches.
More than 5.4 million people have been caught in the fallout.
Episource, which handles claims and billing for doctors and hospitals, said a criminal gained access to its systems earlier this year. The breach lasted a week, ending on 6 February.
In that time, the attacker was able to “see and take copies” of patient data.
The information stolen includes names, phone numbers, addresses, emails. It also includes medical record numbers, test results, diagnoses, prescriptions, and other treatment data. Insurance plans and policy numbers were also taken.
Episource didn’t say how the breach happened.
However, Sharp HealthCare, one of its clients, told patients the attack was ransomware.
The breach has been listed on the U.S. Department of Health and Human Services website. That makes it one of the largest health data breaches so far this year.
Episource is owned by Optum, a subsidiary of UnitedHealth Group. The parent company has faced mounting security pressure. Change Healthcare, also owned by UnitedHealth, was hit by a major ransomware attack last year.
The company says it is contacting those affected. But the damage is already done. Names. Diagnoses. Test results. All in the hands of criminals.
Focusing on Third-Party Providers
Piyush Pandey, CEO at Pathlock, believes this breach signals that threat actors are shifting their focus from hospitals and clinics to third-party providers, because this approach allows them to get access to massive amounts of PHI at a time.
“Once adversaries get their hands on this data, they can misuse it for many years ahead for highly personalized scams and blackmail campaigns. A breach of this scale drives compliance risks and more stringent regulatory scrutiny for every entity in the healthcare supply chain.”
Remain Vigilant and Monitor
Nivedita Murthy, Senior Staff Consultant at Black Duck, says key takeaways from this incident include the need to encrypt customer data, restrict access, and monitor for suspicious activity.
“Any access to this information should be monitored and alerts should be set up in case any of data being moved out of the network. Continuous network monitoring and audits are also crucial to prevent similar breaches and to ensure that there are no gaps in security and uncompromised trust in the software. While Episource is offering credit monitoring and identity protection services, United Health customers should remain vigilant and closely monitor their claims to prevent misuse, as these services may not detect fraudulent medical claims in a timely manner,” she adds.
Relentless Cyber Attacks
Guru Gurushankar, Senior Vice President & GM, Healthcare and Life Sciences at ColorToken, comments: “This incident once again highlights the necessity of preventing unauthorized lateral movement within one’s network. This is critical for healthcare organizations to maintain their digital operational resilience in the face of relentless cyberattacks, and it does not appear that there will be any letup from these attacks moving forward. In other words, organizations have to become breach-ready – this is essential to survival.”
Episource was also a target of an earlier minor breach in 2023, Gurushankar adds. “A solution to prevent lateral movement would be an ideal solution to contain breaches. Lateral movement prevention solutions are needed, in addition to other perimeter-based defenses, to bring this increasing menace under control.”
Less Prepared for Cyber Risk
James Maude, Field CTO at BeyondTrust, says healthcare has been historically less prepared for cyber risks than other industries and bad actors are taking advantage of this. HIPAA recorded 677 major healthcare breaches in 2024, hacking being the dominant cause.
“The security challenges extend beyond the healthcare providers themselves with almost a third of breaches (32.2%) involving the compromise of third parties. Ransomware, once a rare occurrence in healthcare is now on the top of most providers agenda as legacy remote access solutions provide a quick entry point to land and expand with severe consequences,” Maude adds.
“By enforcing Privileged Remote Access built on least-privilege principles, organizations can grant vendors, suppliers and remote workers only the access and privilege they need, and only for the duration of their work, dramatically reducing over-entitlement and shrinking the attack surface. No more broad access to the network, no more standing privileges waiting to be exploited,” he ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.