A tech firm providing services to the healthcare industry said hackers stole information on millions of people in an incident discovered in early February.

Documents filed with the U.S. Department of Health and Human Services Department show that 5,418,866 people had information taken from Episource. 

California-based Episource disclosed in filings with the U.S. Department of Health and Human Services that more than 5.4 million people had their information taken, and said in a notice on its website that hackers had copied files from their system between January 27 and February 6.

The data stolen includes:

• Social Security numbers
• Health insurance ID numbers
• Medicaid-Medicare ID numbers
• Medical records covering doctor, diagnoses, test results, images, care and treatment

Law enforcement was involved in the investigation and the company said it was forced to turn off its computer system in order to protect customers and their patients. The company did not respond to requests for comment. 

Episource says it provides medical coding and risk adjustment services to doctors, health plans and health companies.

Victims of the data breach either received services from one of the doctors or were members of a health plan that uses Episource’s tools. 

The company said it is working with its customers to help them coordinate providing the notice to everyone affected. 

Episource urged victims to watch their benefit statements in case they are ever charged for services they did not receive. The company set up a call line for victims with questions. 

Some customers of Episource published their own breach notices, including Sharp Healthcare. 

Episource previously dealt with a data breach in 2023 that leaked much of the same information for an unknown number of people.

Episource was founded in 2006 and acquired in 2023 by Optum — a healthcare giant owned by UnitedHealth that was itself at the center of a large cybersecurity incident last year. Optum itself was forced to take some of its systems offline last February after a ransomware attack on its subsidiary Change Healthcare. 

That attack ended up leaking the sensitive healthcare information of 190 million people.