In recent years, software companies have developed solutions for various sectors, including healthcare. A term often encountered is software as a service (SaaS), which refers to software accessed online through a subscription rather than being installed on individual computers.
SaaS providers have become prevalent in the healthcare sector, though not always for favorable reasons. Several data breaches linked to vulnerabilities in these third-party services have recently made headlines.
The latest breach involved a company that confirmed hackers stole health information from over 5 million individuals in the U.S. during a cyberattack in January.
Data Breach Affects 430,000 Patient Records
Episolus, a specialist in healthcare data analysis, reported significant cybersecurity incidents. The breach compromised sensitive health information belonging to more than 5 million Americans. Suspicious activity was first detected on February 6, 2025, but the hacking began around January 27.
Internal investigations reveal that hackers accessed and copied private data in that time frame. While the company asserts no financial data was taken, the records included names, contact details, Social Security numbers, Medicaid IDs, and complete medical histories.
Although Episolus claims there’s no evidence of misuse of the information, it’s difficult to say for certain. When such sensitive data gets out, it can circulate rapidly, with consequences that may not wait for official confirmation.
Problems Arising from SaaS in Healthcare
The healthcare industry is increasingly turning to cloud-based services for enhanced efficiency and cost reduction. Companies like Episolus enable healthcare payers to effectively manage coding and risk adjustments at large scales. However, this shift introduces new risks, as data security now relies on the infrastructure of third-party vendors.
Healthcare data is particularly valuable to cybercriminals. Unlike payment card details that can be changed quickly, medical and identity records remain on the dark web for a prolonged time. Such breaches can lead to insurance fraud, identity theft, and other alarming scenarios.
Unfortunately, Episolus isn’t the only company dealing with security breaches. Various healthcare SaaS providers, such as Accellion and Blackbaud, have also reported incidents that affected millions, resulting in class action lawsuits and increased government scrutiny.
Protecting Yourself from Data Breaches
If your information has been compromised in a healthcare breach, consider taking several protective measures:
- Identity theft protection services: These offer continuous monitoring of your personal information to detect misuse.
- Personal Data Deletion Services: They help in removing your information from numerous online databases to minimize exposure.
- Reliable antivirus software: This helps prevent malware installations via phishing attempts.
- Two-factor authentication: This adds an extra layer of security to your accounts, making unauthorized access harder for hackers.
- Scrutinize physical mail: Be wary of unsolicited emails that could be phishing attempts.
Takeaways from the Breach
What is particularly concerning is that many of the affected individuals may not even be aware that their data was compromised. Episolus operates behind the scenes, primarily dealing with insurance companies and healthcare providers rather than directly with patients. The sensitive data of individuals now lies in the hands of third parties they may not have chosen directly, which complicates accountability and transparency.
