FBI Warns of Health Insurance Phishing Amid Major Cyber Breaches at McLaren and Episource
The FBI has issued a warning to consumers to stay vigilant against phishing scams disguised as messages from legitimate health care providers and insurance companies. According to the bureau, fraudsters are increasingly sending emails and texts impersonating trusted organizations to steal sensitive data.
Unfortunately, many of the alarming messages flooding inboxes are not phishing—some are the real deal.
McLaren Health Care: Second Breach in Two Years
As first reported by The Register, McLaren Health Care is notifying 743,131 individuals affected by a ransomware attack that took place on July 17, 2024—exactly one year ago. The breach originated at the Karmanos Cancer Institute, a McLaren affiliate, and went undetected until August 5.
Data stolen includes:
- Names
- Social Security numbers
- Driver’s license numbers
- Medical and health insurance information
While McLaren has claimed it “moved quickly” to respond, critics note the company took a full year to notify victims—without offering a direct apology. The company is offering 12 months of free credit monitoring.
McLaren, worth a self-reported $7.3 billion, operates 12 hospitals and multiple healthcare facilities across Michigan. This marks its second major cyber incident in 12 months. In July 2023, a now-defunct ransomware group compromised data on 2.2 million people, including sensitive medical and billing information.
Despite two breaches, McLaren has faced no regulatory penalties to date.
Episource: 5.4 Million Impacted in Major Breach
Meanwhile, medical billing giant Episource, a subsidiary of Optum (owned by UnitedHealth Group), is informing 5.4 million Americans that their personal and health data was stolen in a February 2025 cyberattack.
As reported by TechCrunch, hackers had access to systems for about a week, during which they exfiltrated:
- Names, addresses, emails, phone numbers
- Medical record numbers
- Diagnostic details, prescriptions, test results
- Health insurance plans and member IDs
The breach is among the largest U.S. healthcare data exposures of the year—and it’s only July.
UnitedHealth subsidiaries have suffered repeated security lapses. In one case, Optum left an internal employee chatbot exposed to the internet. But the most catastrophic was the Change Healthcare breach in February 2024, which affected an estimated 190 million Americans. The incident remains the largest healthcare data breach in U.S. history—enabled by the company’s failure to use two-factor authentication.
Bottom Line: Trust, but Verify
The FBI and security experts urge Americans to scrutinize any messages claiming to be from healthcare providers. While some may be phishing scams, others—like those from McLaren or Episource—could be legitimate notifications of actual data breaches.
If you receive such a notice:
- Confirm directly with your provider via official channels
- Monitor your accounts for suspicious activity
- Consider enrolling in credit or identity monitoring services
The line between cybersecurity and chaos in the healthcare industry continues to blur—and 2025 isn’t over yet.
FBI Issues New Warning: Healthcare Phishing Scams Exploit Data Breach Fallout
The FBI is sounding the alarm on a growing wave of phishing scams targeting patients and healthcare providers. In a recent public service announcement, the Bureau warns that cybercriminals are posing as legitimate health insurance companies and investigative personnel, aiming to trick victims into disclosing sensitive medical and financial information.
Phishing Tactics Grow More Sophisticated
According to the FBI, attackers are sending fake emails and texts that:
- Mimic official communications from healthcare providers
- Reference actual medical procedures, doctors, or billing issues
- Pressure recipients to disclose protected health data or financial details
- Claim victims owe money for non-covered services or overpayments
The danger? These phishing attempts are increasingly tailored using stolen data from previous healthcare breaches. When a message includes your real doctor’s name or a procedure you actually underwent, the bait is far more believable.
Data Breaches Fuel the Fire
This warning follows a string of high-profile healthcare data breaches, including:
- McLaren Health Care: Two breaches in two years affecting millions, with data including SSNs, medical history, and insurance info.
- Episource (a UnitedHealth/Optum subsidiary): 5.4 million affected in a February 2025 breach exposing diagnoses, medications, and policy numbers.
- Change Healthcare: The largest in U.S. history, affecting 190 million Americans—enabled by a lack of two-factor authentication.
Each of these breaches has supplied criminals with rich datasets that can be repurposed in phishing campaigns for years to come. As the podcast notes, medical history is permanent: you will always have seen that doctor, had that procedure, or taken that medication.
What Credit Monitoring Doesn’t Cover
Offering 12 months of credit monitoring has become standard post-breach—but that only protects against certain types of fraud. It does not prevent phishing. And it certainly doesn’t erase the stolen data.
FBI’s Cyber Hygiene Advice
The FBI recommends the following steps for protecting yourself:
- Be skeptical of unsolicited calls, texts, or emails requesting personal information.
- Do not click links in suspicious messages.
- Use strong passwords and enable Multi-Factor Authentication (MFA).
- Keep your software and antivirus up to date.
- Verify messages by contacting your health provider directly.
- Report phishing attempts to the FBI at: www.ic3.gov
Pro Tip: Use Your Healthcare App
Many healthcare providers now route all billing and doctor communications through official apps. As the podcast host suggests, this can be your safest line of communication. Get to know your provider’s app, and use it as your go-to platform to verify any messages.
With phishing scams growing more precise thanks to recycled breach data, healthcare consumers need to stay alert. Whether it’s McLaren, Episource, or your own provider—if something looks off, verify before you reply.