The healthcare industry is facing large data breaches again as two of the biggest software companies, Ocuco and Episource, acknowledge that they’ve suffered separate hacks affecting hundreds of thousands of people and dozens of their clients.
These breach reports help to underscore the ongoing struggles involving the security of patient data and the key role third-party vendor security plays in the vibrancy of healthcare.
Dublin, Ireland-based provider of optical software solutions Ocuco Inc., has recently informed the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) of a breach of data impacting almost 241,000 individuals. The network server hacking incident is being called a ransomware attack by the so-called Killsec (aka Kill Security).
Copied data, including company files, appointment information, and data on U.S. and Canadian eyecare patients, has allegedly been put up for download on dark web sites – a common indication that the victim has refused to pay a ransom.
Meanwhile, a California medical coding services company called Episource LLC has also just started notifying patients about a ransomware attack it discovered in February.
Although the scope remains unclear, the breach has compromised thousands of patients, as well as clients including Sharp HealthCare in California and Horizon Blue Cross Blue Shield of New Jersey. An investigation found that unauthorized entry and data exfiltration occurred on Episource’s systems from January 27 to February 6, 2025.
These events illustrate an alarming trend in healthcare cybersecurity — an increasing number of hackers are compromising the software and service vendors that provide essential tools to the healthcare industry, resulting in the exposure of massive amounts of sensitive protected health information (PHI).
The HIPAA Journal’s figures for 2025 suggest an abundance of major data breaches, many of them concerning business associates like software service providers.
With patient information at risk of being exploited, healthcare organizations are being encouraged to strengthen due diligence on their third-party vendors, deploy top-notch cybersecurity protections and better inform staff on current cyber threats.
With lawyers having already started to formally investigate potential class-action lawsuits linked to the Ocuco and Episource breaches, the ramifications of compromised data are all too clear.
