Medical-billing company Episource, part of UnitedHealth Group’s Optum division, said hackers accessed the personal and health information of 5,418,866 patients during a breach that lasted from 27 January to 6 February this year and was detected on 6 February. The exposed data include contact details, insurance and policy numbers, medical records and, in some cases, Social Security numbers, raising heightened risks of identity theft and fraud. Episource shut down affected systems, hired forensic investigators and alerted law-enforcement agencies. The firm began notifying individuals on 23 April and is offering two years of free credit-monitoring and identity-theft protection. No evidence of misuse has been reported, the company said, but it urged patients to watch for suspicious activity in health and financial accounts. The incident is the second major breach linked to UnitedHealth in little more than a year, following the 2024 ransomware attack on its Change Healthcare unit that exposed data on roughly 190 million Americans. The latest intrusion has intensified scrutiny of UnitedHealth’s complex structure—an investigation published this week counted 2,694 subsidiaries—prompting questions about whether the insurer’s sprawling network can be effectively secured and overseen.