Approximately 211,000 patients and customers of the University of Iowa Community HomeCare may have had their personal data exposed after a July cyberattack.
What happened
According to the Iowa City Press-Citizen, on July 3, 2025, an unauthorized individual gained access to the computer systems of University of Iowa Community HomeCare, an affiliate of University of Iowa Health Care (UIHC). The breach was detected swiftly, prompting an immediate shutdown of affected servers and the involvement of cybersecurity experts. Remarkably, the systems were safely restored within just one business day.
Going deeper
Though UIHC's main electronic health record (EHR) systems remained untouched, the breach compromised data stored by Community HomeCare, data that, while managed separately, included overlapping files for UIHC patients. The stolen files potentially contained sensitive personal information such as names, dates of birth, addresses, phone numbers, medical record numbers, dates and types of service, provider information, insurance details, and possibly Social Security numbers, though the latter has not been confirmed.
The investigation revealed that approximately 211,000 individuals were impacted; written notifications were mailed to affected parties on August 29, 2025.
Read also: What is the difference between PII and PHI?
What was said
In the formal notification sent to those affected, the University of Iowa Health Care (UI Health Care) made clear both its regret over the incident and its commitment to patient trust and data security, “At University of Iowa Health Care, we take patient trust and data protection very seriously. We deeply regret to inform you of an incident at University of Iowa Community HomeCare, an affiliate company that supports the mission of UI Health Care, involving personal information.… Please be assured that we have taken every step necessary to address the incident.” Furthermore, the public notice issued indicated swift containment and transparency, stating, “We quickly took action to protect our patients and prevent further harm by shutting down our servers and bringing in cybersecurity experts to investigate. We were able to safely restore systems within one business day.”
Regarding the scope and nature of the data involved, the notice clarified that “after further investigation, we learned that a cyber-criminal was able to see and take copies of data in our computer system, which included some data files containing information for UI Community HomeCare customers and a group of UI Health Care patients. The electronic health record was not compromised, and at this time, there is no indication that the data contained in accessed files has been misused.”
Why it matters
The data of approximately 211,000 individuals was exposed in this breach, creating significant risks for those impacted. For many, the compromised files may include deeply personal details such as names, birth dates, addresses, medical record numbers, insurance information, and in some cases, Social Security numbers. Even though there is currently no evidence of misuse, the exposure of this type of information can leave individuals vulnerable to identity theft, medical fraud, and financial exploitation.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
Why are healthcare organizations frequent targets for cyberattacks?
Healthcare data is extremely valuable because it combines personal identifiers (like Social Security numbers) with medical and insurance details. Criminals can use it for identity theft, medical fraud, or to sell on the dark web.
How long do the risks from a data breach last?
The risks can persist for years. Unlike credit card numbers, which can be changed, information such as names, birth dates, and medical history cannot be altered. Criminals may wait months or years before attempting to misuse stolen data.
How will I know if my data is being misused?
Warning signs include receiving unfamiliar medical bills, unexpected insurance claim denials, unexplained credit inquiries, or notices about accounts you didn’t open.
Tshedimoso Makhene
