Over the past decade, software companies have built solutions for nearly every industry, including healthcare. One term you might be familiar with is software-as-a-service (SaaS), a model where software is accessed online through a subscription rather than installed on individual machines.
In healthcare, SaaS providers are now a common part of the ecosystem. But recently, many of them have made headlines for the wrong reasons. Several data breaches have been traced back to vulnerabilities at these third-party service providers. The latest incident comes from one such firm, which has now confirmed that hackers stole the health information of over 5 million people in the United States during a cyberattack that took place in January.
SaaS firm leads to major healthcare blunder
Episource, a big name in healthcare data analytics and coding services, has confirmed a major cybersecurity incident (via Bleeping Computer). The breach involved sensitive health information belonging to over 5 million people in the United States. The company first noticed suspicious system activity on February 6, 2025, but the actual compromise began ten days earlier.
An internal investigation revealed that hackers accessed and copied private data between January 27 and February 6. The company insists that no financial information was taken, but the stolen records do include names, contact details, Social Security numbers, Medicaid IDs, and full medical histories.
Episource claims there’s no evidence the information has been misused, but that’s a tired line. Just because they haven’t seen the fallout yet doesn’t mean it isn’t happening. Once data like this is out, it spreads fast, and the consequences don’t wait for official confirmation.
OVER 8 MILLION PATIENT RECORDS LEAKED IN HEALTHCARE DATA BREACH
Why healthcare SaaS is a growing target
The healthcare industry has embraced cloud-based services to improve efficiency, scale operations, and reduce overhead. Companies like Episource enable healthcare payers to manage coding and risk adjustment at a much larger scale. But this shift has also introduced new risks. When third-party vendors handle patient data, the security of that data becomes dependent on their infrastructure.
Healthcare data is among the most valuable types of personal information for hackers. Unlike payment card data, which can be changed quickly, medical and identity records are long-term assets on the dark web. These breaches can lead to insurance fraud, identity theft, and even blackmail.
Episource is not alone in facing this kind of attack. In the past few years, several healthcare SaaS providers have faced breaches, including Accellion and Blackbaud. These incidents have affected millions of patients and have led to class-action lawsuits and stricter government scrutiny.
5.5 MILLION PATIENTS EXPOSED BY MAJOR HEALTHCARE DATA BREACH
5 ways you can protect yourself from healthcare data breach
If your information was part of the healthcare breach or any similar one, it’s worth taking a few steps to protect yourself.
1) Change your password on every platform: If your login credentials have been exposed, it’s not enough to change the password on just one account. Cybercriminals often try the same combinations across multiple platforms, hoping to gain access through reused credentials. Start by updating your most critical accounts, email, banking, cloud storage, and social media, then move on to others. Use a new, unique password for each platform and avoid variations of old passwords, as they can still be predictable. Consider using a password manager to generate and store complex passwords.
- Unlimited password storage
- Secure sharing
- Password health reports
- Auto-fill and emergency access
- Data breach monitoring to alert you if your credentials have been exposed
- A Security Dashboard with tools like the Data Breach Scanner and Password Health Checker to identify weak, reused, or compromised passwords
CyberGuy Exclusive Deal: Save 52% now with CyberGuy’s exclusive NordPass offer – Get 1 extra month FREE with a 2-year plan. Try 30 days risk-free for only $1.43 per month!
2) Consider identity theft protection services: Since the healthcare data breach exposed personal and financial information, it’s crucial to stay proactive against identity theft. Identity theft protection services offer continuous monitoring of your credit reports, social security number, and even the dark web to detect if your information is being misused.
These services send you real-time alerts about suspicious activity, such as new credit inquiries or attempts to open accounts in your name, helping you act quickly before serious damage occurs. Beyond monitoring, many identity theft protection companies provide dedicated recovery specialists who assist you in resolving fraud issues, disputing unauthorized charges, and restoring your identity if it’s compromised.
One of the best parts of my top pick, Aura Identity Protection, is its all-in-one approach to safeguarding your personal and financial life. Aura includes identity theft insurance of up to $1 million per adult to cover eligible losses and legal fees, plus 24/7 U.S.-based fraud resolution support with dedicated case managers ready to help restore your identity fast.
Exclusive CyberGuy deal: Save up to 68% today: Get Aura’s award-winning identity theft protection and credit monitoring for as low as $9/month when billed annually.
See my full list of trusted identity theft protection services and expert tips to stay safe online.
3) Use personal data removal services: The healthcare data breach leaks loads of information about you, and all this could end up in the public domain, which essentially gives anyone an opportunity to scam you.
One proactive step is to consider personal data removal services, which specialize in continuously monitoring and removing your information from various online databases and websites. While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.
Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.
Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.
- Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
- Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
- The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.
CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.
The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.
Is your personal information exposed online?
Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.
4) Have strong antivirus software: Hackers have people’s email addresses and full names, which makes it easy for them to send you a phishing link that installs malware and steals all your data. These messages are socially engineered to catch them, and catching them is nearly impossible if you’re not careful. However, you’re not without defenses.
The best way to safeguard yourself from malicious links is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
TotalAV is easy to set up and offers real-time protection for paid users, keeping your devices safe around the clock. It includes tools to block phishing scams, remove ransomware and spyware, and clean up adware and junk files. The software also features a browser manager, system tune-up tools, and protects across Windows, Mac, Android, and iOS devices.
GET MY EXCLUSIVE CYBERGUY TOTALAV DEAL:
Please note:
1) If you're having difficulty seeing either of the above deals, do this:
- If you're on a mobile device, hold down the link above, "Copy Link", and then paste it into a private or incognito browser.
- If you're on a laptop or desktop, right click the link, "Copy Link", and then paste it into a private or incognito browser.
2) During registration you may see optional upsells you can decline. Our top pick is the core antivirus product.
3) If you need help after your purchase, you can reach TotalAV directly through their official support page here.
5) Enable two-factor authentication: While passwords weren’t part of the data breach, you still need to enable two-factor authentication (2FA). It gives you an extra layer of security on all your important accounts, including email, banking, and social media. 2FA requires you to provide a second piece of information, such as a code sent to your phone, in addition to your password when logging in. This makes it significantly harder for hackers to access your accounts, even if they have your password. Enabling 2FA can greatly reduce the risk of unauthorized access and protect your sensitive data.
6) Be wary of mailbox communications: Bad actors may also try to scam you through snail mail. The data leak gives them access to your address. They may impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
WINDOWS 10 SECURITY FLAWS LEAVE MILLIONS VULNERABLE
Kurt’s key takeaway
What makes this breach especially alarming is that many of the affected patients may have never even heard of Episource. As a business-to-business vendor, Episource operates in the background, working with insurers and healthcare providers, not with patients directly. The people impacted were customers of those companies, yet it’s their most sensitive data now at risk because of a third party they never chose or trusted. This kind of indirect relationship muddies the waters when it comes to responsibility and makes it even harder to demand transparency or hold anyone accountable.
Do you think healthcare companies are investing enough in their cybersecurity infrastructure? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
🎙 Now Streaming: My New Podcast: The CyberGuy Report
Kurt’s Top Deals
Deals move fast and inventory can be limited, so don’t wait too long.
| 🔥 Editor’s pick  Summer entertaining Ninja SLUSHi Machine (26% off) Frozen drinks and slushies at home in minutes. | |
| 💰 Top deal  Outdoor essential TYPEC Solar Bug Zapper (36% off) Solar-powered bug zappers for patios and camping. |
6 comments
In 2024 I visited a physician’s office for the second time. The first time in completing their forms on paper, I had provided my SS# as xxx-xx-0000. When I returned a year later I was asked to provide my full SS#. I asked about their cybersecurity and was met with disdain and an insistence that I provide my SS#. I am insured through Medicare, and I have a supplement. So my SS# is unnecessary, in my mind. I refused to provide the number and was told I wouldn’t be seen. I left and sought another physician.
If your info has been stolen from these places they should be sued and the hospitals that use them also. Anyone that is an info gatherer should be able to be sued if they are going to be a info collection agency they are making money off of they should be the loser not the people they got the info from. I should not have to do all the stuff I did when I was notified my info was stolen, everything I have now is frozen.
Obviously the people who are supposed to be guarding our info, aren’t!!
Between my husband and I we’ve been the subject of about five healthcare breaches in the past few years. So far, we’re lucky that nothing has become of it. I think 2 parties are at fault – the medical system that hires Saas companies and the Saas. Itself. The medical system for not having performed a sufficient due diligence on the Saas —not personnel for the task, insufficient investment in training/education in their personnel, which would give them the tools to perform the task to the degree that was needed or too much trust that the Saas has, performs or does what it sells.
I believe the Saas shares fault for the same or similar reasons.
Both companies are scaling their business and as most professionals who’s ever been employed at a growing firm know, rapid growth usually means somewhere along the line, something has to give. Not enough time or energy to get it all done before a new challenge presents itself. Management did have the foresight or willingness to drop the bucks necessary to properly prepare the company for what’s to come.
Think healthcare companies should be more or do more diligence before hiring one of the type companies that was involved in this breach.
I’ve received no fewer than four notices that my medical information was stolen in cyber attacks on four separate healthcare systems. Recently, Medicare paid for DME I did not receive and which were supposedly ordered by a provider I’ve never used. I’ve notified Medicare of the unauthorized medical billings. Now I’m worried that someone else is using my Medicare number.
I, too, have been an identity theft victim and while I appreciate the comments/sentiments I’ve read thus far, all I can say is this is a problem that will never be fixed. Why? Because locked doors only keep honest people out. Those with the right tools, intent on entry, will break in. In the age of computer and software technology, you are never truly secure. If something appears secure, it’s an illusion. If Apple or Microsoft could build operating systems impervious to attack, it would have already been done.
Yes, when possible, criminals should be found and prosecuted. Companies that demonstrate they were negligent in having appropriate security in place should be penalized. But if you think businesses can provide impenetrable security, you simply don’t understand the breadth of the problem. Litigating them into non-existence solves nothing, but making things more expensive, removing another needed resource, and leaving the hackers laughing.
There is no system that is unhackable, even one not connected to the internet. It then just requires a local connection or someone on the inside to breach. It is possible to harden a system to the point that hackers or thieves might choose an easier target, but again, if it’s really worth the effort, people intent on entry will enter. In this environment it seems the best we can and should do is attempt to not be the low hanging fruit.
We should all do what we can to protect ourselves and follow the advice from sources like CyberGuy.com, but as long as there are dishonest people in the world, we will continue to remain potential victims.