Data Breach Notification , Data Security , Fraud Management & Cybercrime

2 Software Firms Report Major Health Data Theft Hacks

Ocuco and Episource Breaches Affect Health Sector Clients, Patients

Ireland-based Ocuco and California-based Episource are among the latest third-party software vendors reporting major data theft incidents to regulators in the U.S. (Image: Getty Images)

Ocuco, an Ireland-based provider of eye care practice and optical laboratory software, and Episource, a California-based medical coding services firm, have reported separate hacking incidents to U.S. and state regulators that have likely affected dozens of their clients and hundreds of thousands of people.

See Also: Top 10 Technical Predictions for 2025

Dublin, Ireland-based Ocuco, which says it provides software and services to 6,750 client sites in 88 countries, reported to the U.S. Department of Health and Human Services on May 30 that its hacking incident involving a network server affected nearly 241,000 individuals.

Ransomware gang KillSec on its dark web leak site claims to have more than 340 gigabytes of Ocuco’s data, including 670,344 files and 26,838 folders.

An Ocuco spokesperson in a statement provided to Information Security Media Group on April 1 said that the company learned through a posting on a dark web site that “a third party” claimed to have stolen information from Ocuco’s environment.

Ocuco told HHS OCR its hack affected nearly 241,000 people. (Image: Ocuco)

“We immediately took steps to secure our virtual environment and launched an investigation to determine if this claim was legitimate by engaging external cybersecurity experts,” the statement said.

“Our investigation determined that there was unauthorized access to two of our non-production servers and certain files stored therein, which was enabled by a newly discovered vulnerability – that was not timely disclosed to Ocuco – contained within third-party software we use on those systems,” the Ocuco statement said.

“We have fully patched the vulnerability and implemented other additional security processes and procedures to further strengthen our overall cybersecurity posture.”

Ocuco said it is still in the process of performing a detailed review of the files that were involved in the incident to identify individuals whose information may have been contained in the files.

“As soon as this process has been completed, we will start the process of notifying relevant parties and individuals, as well as providing resources to help protect their personal information, in accordance with applicable law,” Ocuco said.

“We have also undertaken a general review of our cybersecurity controls and procedures with a focus on maintaining the highest levels of security for our network, systems and data as we move forward.”

Ocuco did not immediately respond to ISMG’s request for other details about the incident, including the number of individuals potentially affected globally and the type of third-party software vulnerability exploited in the hack.

Episource Hack

Meanwhile, Episource LLC, based in Gardena, Calif., has started notifying individuals in several states, including California and Texas, about a ransomware incident discovered in February.

In the Lone Star State alone, Episource told regulators that the incident affected 24,259 individuals. The company’s report to California’s attorney general does not say how many were affected in that state. As of Friday, Episource’s hacking incident has not yet appeared on the HHS’ Office for Civil Rights HIPAA Breach Reporting Toolwebsite listing health data breaches affecting 500 or more individuals.

Episource provides medical coding and risk adjustment software and services to healthcare sector clients. Some of those affected clients this week also began issuing public notices about the incident, including healthcare delivery system Sharp HealthCare in California and health insurer Horizon Blue Cross Blue Shield of New Jersey.

“On April 24, Episource, a Sharp HealthCare and Sharp Community Medical Group business associate, confirmed Sharp was one of their customers affected by a ransomware data breach,” Sharp said in its breach notice.

Episource and some of its healthcare sector clients are notifying thousands of patients about a data theft hack discovered in February. (Image: Episource)

“Immediately after becoming aware of the vulnerability, Episource stopped access to their system application and began a thorough investigation to determine if our information was affected. That investigation confirmed that Sharp information hosted on the system had been accessed and acquired without authorization between Jan. 27 and Feb. 6, 2025,” Sharp said.

Episource in its breach notice said it notified law enforcement about the incident and hired cybersecurity specialists to help in the response and investigation.

“We learned from our investigation that a cybercriminal was able to see and take copies of some data in our computer systems,” Episource said.

Information affected varies among individuals but potentially includes name, address, phone number, email address, date of birth, health insurance such as health plans/policies, insurance companies, member and group ID numbers, Medicaid-Medicare-government payer ID numbers, medical record numbers, doctors, diagnoses, medicines, test results, images, care and treatment. Social Security numbers were also affected “in limited instances,” Episource said.

Episource did not immediately respond to ISMG’s request for additional details about the hack, including the total number of clients and people affected.

Several large U.S. law firms recently have also issued separate public notices in recent days about the Ocuco and Episource breaches, saying they are investigating the incidents for potential class action litigation. By Friday, at least two proposed class-action lawsuits had been filed so far against Episource in a California federal court involving the company’s breach.

As of Friday, the HHS OCR website shows 314 major data breaches posted so far in 2025 affecting more than 22.3 million individuals. Of those, 113 affecting more than 9.5 million were reported as involving a business associate, such as a software services provider or other third-party vendor.

On June 2, 2023, EpiSource LLC filed a notice of data breach with the Attorney General of California after learning that suspicious activity within the company’s Amazon Web Services (“AWS”) environment resulted in an unauthorized party being able to access confidential consumer data. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, dates of birth, addresses, phone numbers, medical record numbers, health plan ID numbers, provider information, diagnoses and medications. After confirming that consumer data was leaked, EpiSource began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.

If you received a data breach notification from EpiSource, it is essential you understand what is at risk and what you can do about it. As we’ve discussed in previous posts , software companies have recently become a major target for hackers hoping to steal confidential information they can use to commit identity theft and other frauds. However, there are steps you can take to mitigate these risks. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the EpiSource data breach, reach out to a data breach lawyer for assistance.

What We Know So Far About the EpiSource Breach

News of the EpiSource data breach is still fresh; however, what we know at this point comes from the company’s filing with the Attorney General of California. According to this source, on February 20, 2023, EpiSource detected suspicious activity within the company’s AWS environment. In response, EpiSource took the necessary steps to contain the incident and prevent further access. Next, EpiSource launched an investigation into the incident with the assistance of an outside data security firm.

The EpiSource investigation revealed that an unauthorized party was able to access the company’s AWS environment between February 19, 2023 and February 23, 2023. Subsequently, on February 20, 2023, EpiSource confirmed that some of the files that were accessible to the unauthorized party contained confidential consumer information.

Upon discovering that sensitive consumer data was made available to an unauthorized party, EpiSource began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, date of birth, address, phone number, medical record number, health plan ID number, provider information, diagnoses and medications. EpiSource has confirmed that the incident did not impact Social Security numbers or financial account information.

On June 2, 2023, EpiSource sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About EpiSource LLC

Founded in 2006, EpiSource LLC is a software company based in Gardena, California. The company creates software for health plans and providers, enabling them to manage risk. Some of the issues that EpiSource software allows health plans and providers to manage include analytics, program management, gap closure, reporting, and CMS submissions. EpiSource employs more than 5,000 people and generates approximately $1.1 billion in annual revenue.

UnitedHealth Group’s headquarters building is seen in Minnetonka, Minnesota, U.S. in this handout picture taken in 2019. UnitedHealth Group/Handout via REUTERS/File Photo Purchase Licensing Rights , opens new tab

Jan 24 (Reuters) – The cyberattack at UnitedHealth Group’s (UNH.N) , opens new tab tech unit last year affected the personal information of 190 million people, the health conglomerate said on Friday, making it the largest healthcare data breach in the United States.

The hack at Change Healthcare affected the personal information of 100 million people, the U.S. health department had posted on its website in October.

Sign up here.

The final number will be confirmed and filed with the U.S. Department of Health and Human Services’ office for civil rights at a later date, the company said in an emailed statement.

The cyberattack disclosed in February at Change Healthcare was perpetrated by hackers who identified themselves as the “Blackcat” ransomware group, causing widespread disruptions in claims processing and impacting patients and providers across the country.

“Change Healthcare is not aware of any misuse of individuals’ information as a result of this incident and has not seen electronic medical record databases appear in the data during the analysis,” the company said, adding that it has provided individual or substitute notice to the “vast majority” of those impacted.

The company issued a public notice about the ransomware hack in June last year as part of its requirements under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulation requires companies to notify patients of data exposures.

Information made vulnerable in the UnitedHealth attack is believed to include health insurance member IDs, patient diagnoses, treatment information and social security numbers, as well as billing codes used by providers.

Reporting by Mariam Sunny in Bengaluru; Editing by Alan Barona, Muralikumar Anantharaman and Diane Craft

Our Standards: The Thomson Reuters Trust Principles. , opens new tab