UnitedHealth subsidiary exposes 5.5M patient records to hackers
Healthcare technology company Episource, a subsidiary of UnitedHealth, said it was hit by a ransomware attack in February, which resulted in a data breach that exposed patient records to hackers. It’s now begun sending notifications to those impacted.
According to a notice the company posted this week, an investigation confirmed unauthorized parties gained access to sensitive data stored on Episource servers during the cyberattack, at which time the incident was reported to authorities. The investigation concluded earlier this month; however, the company said it sent preliminary notices to its customers in April, alerting them to the possibility of data being stolen.
Episource provides analytics tools to providers and insurers, which largely help with revenue cycle and billing medical claims. As a result, it has access to patient information relevant to those processes.
Per the notice, data from both provider and payers was likely taken during the attack, which lasted roughly nine days, between Jan. 27 and Feb. 6.
"We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems," Episource wrote, adding, "Financial and banking information and payment cards largely were not impacted in this incident."
Exposed data reportedly includes contact information from patients, along with details on their insurance and health plans. This includes member IDs as well as Medicaid and Medicare IDs. Episource said health data could also have been accessed or taken, meaning information on procedures, diagnoses, test results, medical images, and treatments.
Social Security numbers could also have been compromised, along with dates of birth — as these are routinely included on medical claims awaiting processing.
Given that much of the data is from health systems and payers, the exact number of victims totals nearly 5.5 million, according to figures Episource submitted to the federal government’s healthcare data breach tracker.
Patients should remain vigilant
The company advised patients to monitor their credit for any suspicious activity, which should be reported to law enforcement immediately.
“Individuals should be on the lookout and regularly monitor the explanation of benefits statements received from their health plan and statements from health care providers, as well as bank and credit card statements, credit reports, and tax returns, to check for any unfamiliar activity,” Episource wrote.
“If individuals notice any health care services they did not receive listed on an explanation of benefits statement, they should contact their health plan or doctor,” it added.
In response to the attack, Episource said it has bolstered security and is working with law enforcement to investigate the incident.
To date, no hacker group has claimed responsibility for the attack, and no data trove stemming from the breach has been found on the dark web.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.