What Affected Consumers in California, Vermont, and Minnesota Need to Know
If you received (or suspect you should have received) a notice that your information was involved in the Episource data breach, please fill out the secure intake form on this page or call us at (800) 965-1461 for a free and confidential case review. We are actively evaluating claims for affected residents of California, Vermont, and Minnesota.
At a Glance
| Key Point | Details |
|---|---|
| Incident window | January 27 to February 6, 2025 |
| Discovery date | February 6, 2025 |
| Notification began | April 23, 2025 (rolling mail notices) |
| Individuals affected | Approximately 5,418,866 (5.4 million+) |
| Data exposed (varies) | Contact info, insurance data, medical details, dates of birth, Social Security numbers in some cases |
Do not wait to act. Identity and medical fraud risks can persist for years after a breach.
What Is Episource and Why Do They Have My Data?
Episource is a healthcare data and technology vendor that supports health plans and healthcare providers with services that include risk adjustment, medical coding, data analytics, and related support functions. Because Episource works behind the scenes for payors and provider networks, many people learn about the company for the first time only after receiving a data breach letter.
What Happened: Timeline of the Episource Data Breach
Investigators determined that a cybercriminal gained access to Episource systems and was able to view and copy data between January 27 and February 6, 2025. Episource detected unusual activity on February 6, 2025, shut down affected systems, engaged forensic specialists, and notified law enforcement.
Following the investigation, Episource began coordinating notifications with its healthcare clients and started mailing data breach letters to impacted individuals beginning April 23, 2025, with additional regulator filings in the weeks that followed.
Regulators have been notified at both the federal and state levels. Episource reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), which tracks large health information breaches.
What Information Was Exposed?
The specific information compromised differs from person to person, but reports from Episource’s notice, industry coverage, and regulator filings indicate that one or more of the following data elements may have been involved:
- Name, mailing address, phone number, email address
- Date of birth
- Social Security number (SSN) in some cases
- Health plan or insurance policy information
- Medicaid, Medicare, or other government payor identifiers
- Medical record numbers
- Diagnoses and clinical information
- Test results, imaging, care and treatment details
- Provider or doctor identifying information
No payment card or banking information has been reported as exposed. Even without financial account data, the mix of personal and health data creates significant risks for identity theft, medical fraud, targeted scams, and insurance misuse.
Why This Matters: Risks to You
Healthcare data has a high black‑market value because criminals can combine medical history, identifiers, and Social Security data to submit false insurance claims, open credit lines, or craft convincing phishing attacks. Stolen health data is also harder to “reset” than a password, it can remain useful to fraudsters for years. Episource and industry security analysts urge affected individuals to remain alert for impersonation attempts, suspicious insurance activity, and identity theft.
Who Is Affected?
Episource’s HHS OCR submission indicates that approximately 5,418,866 individuals nationwide were impacted. Because Episource provides services to multiple health plans and provider systems, affected people are spread across the United States. Many are just now receiving mailed notices as client organizations complete their own outreach.
Some health systems have separately confirmed that their patient data was affected through Episource. For example, Sharp HealthCare reported that information hosted within the Episource environment related to its patients was accessed without authorization during the breach window. This illustrates how the incident can reach patients through their healthcare provider even when they have never heard of Episource.
State Regulatory Filings: Why California and Vermont Matter (and Where Minnesota Fits In)
Public breach listings show that Episource has submitted notices to multiple state regulators, including California and Vermont, both of which require sample breach letters to be filed and posted when large numbers of residents are affected. These state postings help confirm the scope of the incident and give consumers access to the notice text and protective services being offered.
Additional state filings reported include Texas, Massachusetts, and New Hampshire. Even if you live in a state not yet publicly listed, you may still be affected if your provider or health plan used Episource services.
Minnesota residents: Episource’s corporate privacy office address in past notices has referenced an Optum location in Minnesota, and Minnesota law requires prompt consumer notification when certain personal information is breached. While we have not yet seen a Minnesota Attorney General posting specific to this incident, Minnesota residents whose data was handled by Episource or its parent entity may have rights under state breach notification and emerging consumer data privacy laws.
Your Rights by State
Below is a practical overview for residents of California, Vermont, and Minnesota. This summary is informational and not legal advice. Your situation may differ based on the type of data involved and your relationship to your health plan or provider.
California Residents
California law requires companies that experience a breach affecting more than 500 state residents to provide notice to the California Attorney General and to impacted consumers without unreasonable delay. You have the right to receive a clear description of what happened, what information was exposed, and steps you can take to protect yourself. California privacy and consumer protection laws also provide potential remedies when companies fail to use reasonable security practices.
Vermont Residents
Vermont’s Attorney General publishes breach notices submitted by organizations when Vermont residents are impacted. These notices typically describe the incident, list the categories of data involved, and explain any protective services being offered such as credit monitoring. If you live in Vermont and received a letter, you should enroll in the offered monitoring and consider additional identity protection steps.
Minnesota Residents
Minnesota’s breach notification statute requires businesses that own or license personal information about Minnesota residents to notify affected individuals in the most expedient time possible and without unreasonable delay. Substitute notice and notice to consumer reporting agencies may be required when large groups are affected. Separate from breach notice rules, the Minnesota Consumer Data Privacy Act (effective July 31, 2025) expands obligations for companies handling Minnesotans’ personal data. If your information was part of the Episource incident, timely notice and transparent disclosures matter for preserving your rights.
Potential Claims Under Investigation
Law firms across the country are investigating whether Episource and related entities:
- Used adequate cybersecurity safeguards proportional to the sensitivity of the health and personal data stored.
- Provided timely notice to affected individuals as required under state data breach laws and HIPAA breach notification requirements.
- Adequately informed consumers of the specific data elements compromised so they can protect themselves.
- Offered sufficient identity and credit protection in light of the risks.
Delays in notification and alleged security deficiencies are common theories advanced in healthcare data breach class actions.
What Compensation or Relief Might Be Available?
Potential recovery in data breach litigation can vary, but plaintiffs often seek:
- Reimbursement for out‑of‑pocket costs such as credit freezes, credit monitoring upgrades, or identity restoration services.
- Compensation for time spent responding to the breach (tracking credit, contacting agencies, replacing documents).
- Damages tied to actual or imminent identity theft, medical identity fraud, or fraudulent insurance claims.
- Injunctive relief requiring stronger data security and independent security audits going forward.
Early class action investigations typically work to document economic and time losses, as well as heightened risk of future harm.
What You Should Do Now
1. Confirm whether you were affected. Check your mail for a notice letter from Episource or from your health plan or provider referencing Episource. If unsure, contact us and we can help you confirm.
2. Enroll in free identity protection services offered through IDX. Episource is providing credit monitoring and identity restoration tools at no cost to affected individuals. Enrollment instructions are in the notice letter and available through the Episource response site.
3. Monitor financial, insurance, and medical accounts. Watch for new accounts, claims you did not authorize, or address changes. Report suspicious activity promptly.
4. Consider a credit freeze or fraud alert. Freezes help block new credit accounts opened in your name. Fraud alerts require creditors to take extra steps to verify your identity.
5. Keep records. Save all letters, emails, and any evidence of suspicious charges or insurance activity. Documentation can strengthen your legal claim.
How to Join the Episource Data Breach Lawsuit Investigation
We are reviewing claims for residents of California, Vermont, and Minnesota whose personal or medical information may have been compromised in the Episource incident. To get started:
- Fill out the secure form on this page with your contact information and describe any notice letter you received.
- Or call us directly at (800) 965-1461 for immediate assistance.
There is no cost for our initial review. Time limits can apply under state law, so contacting us promptly helps protect your rights.
Frequently Asked Questions
Episource works for health plans and providers behind the scenes. Your doctor, clinic, insurer, or Medicare plan may use Episource for coding or analytics that involve your data. When Episource was breached, your information may have been affected through that relationship.
Yes. Many large breaches show no immediate misuse, yet stolen data can circulate for months or years before being used in fraud. The combination of medical and personal identifiers is particularly valuable to attackers. Enroll in monitoring and stay vigilant.
Yes. Because Episource’s services reach multiple health systems nationwide and Minnesota’s breach and privacy laws protect residents when their personal data is compromised, we want to hear from Minnesota residents who believe their data may have flowed through Episource or a related Optum/UnitedHealth entity. We can help you investigate.
Please locate any data breach notice letter, insurance statements, explanation of benefits, or recent unusual account notices. If you have already enrolled in identity protection, note your enrollment date and any alerts received. These materials help us evaluate potential damages.
About Audet & Partners, LLP
We represent consumers and patients in complex class actions and data privacy litigation nationwide. Our team is actively reviewing the Episource Data Breach Lawsuit on behalf of individuals in California, Vermont, and Minnesota. When healthcare data is compromised, consumers deserve answers, accountability, and meaningful protections going forward. Contact us today.