Iowa Health and Human Services Data Breach 2026: 3,340 Iowans Exposed. Filed With No Public Disclosure. What To Do
The Iowa Department of Health and Human Services filed an HHS OCR breach on January 6, 2026 affecting 3,340 individuals. As of mid-May 2026, no entity notice, Iowa AG filing, or press coverage has surfaced for this specific incident — a notable transparency gap for a state agency breach affecting vulnerable Medicaid populations. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 6, 2026
HHS OCR filing (incident date, discovery date, and notification dates not publicly disclosed)
Jan 6, 2026
Attacker gained access
Jan 6, 2026
Breach detected
Jan 6, 2026
HHS OCR filing (incident date, discovery date, and notification dates not publicly disclosed)
Jan 6, 2026
Attacker gained access
Jan 6, 2026
Breach detected
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
The Iowa Department of Health and Human Services (Iowa HHS) is a consolidated state agency formed in 2022 from the former DHS and Iowa Department of Public Health. Iowa HHS administers:
- Iowa Medicaid (~700,000 members)
- Iowa Health and Wellness Plan (ACA expansion, ages 19-64)
- Hawki (children’s coverage)
- Iowa Health Link managed care (Iowa Total Care, Wellpoint Iowa, Molina Healthcare of Iowa)
- Public Health
- Aging, Mental Health & Disability Services
- SNAP and child welfare programs
This is a vulnerable-population dataset by any measure.
Iowa HHS filed with HHS OCR on January 6, 2026 — Hacking/IT Incident at Network Server — confirming 3,340 affected individuals. Under HIPAA’s 60-day notification rule, the incident was likely discovered between early November 2025 and early January 2026.
Why this page exists as a stub
As of mid-May 2026 — more than 4 months after the OCR filing — no public disclosure has surfaced for this specific incident. Every channel returns empty:
- No entity notice on Iowa HHS’s data-breach notifications page (
hhs.iowa.gov/about/newsroom/data-breach-notifications). The only 2026 entry on that page is an unrelated April 13, 2026 incident affecting 6,717 Medicaid members via accidental web posting — different mechanism, different population, different category (Unauthorized Access/Disclosure, not Hacking/IT). - No Iowa AG filing on the 2026 Security Breach Notifications list.
- No press coverage in the Des Moines Register, Iowa Capital Dispatch, KCRG, WHO13, We Are Iowa, Iowa Public Radio, CBS2 Iowa, or Little Village.
- No HIPAA Journal, DataBreaches.net, StateScoop, or GovTech writeup.
- No ransomware leak-site listing.
The OCR portal row is the only public artifact. Treat this page as a placeholder until Iowa HHS issues a notice, the Iowa AG portal posts a filing, or local press surfaces a story.
If you are an Iowa Medicaid recipient, MH/DS waiver client, or child welfare program participant, the absence of public disclosure is itself worth flagging to:
- Iowa AG Consumer Protection: 1-888-777-4590
- Iowa Ombudsman: 1-888-426-6283
- Your state legislator (Iowa General Assembly members can request executive-branch transparency)
What was potentially exposed
Specific PHI categories have not been publicly disclosed. Given Iowa HHS’s program scope, plausible exposure includes:
- Iowa Medicaid IDs and eligibility data
- Iowa Health and Wellness Plan / Hawki enrollment records
- Mental health and disability waiver assessment data
- Child welfare records (potentially)
This is inference, not fact. Do not assume any specific category until Iowa HHS issues a notice.
What to do
- Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution. If your SSN is in scope, this is your strongest single-step protection.
- Watch your Medicaid Summary Notice for unfamiliar claims.
- If you are a child welfare program participant or MH/DS waiver client, contact your case worker to ask whether your records were in the affected set.
- Call Iowa HHS at 1-855-889-7985 (Iowa Medicaid Member Services) and ask whether you have been notified about a January 2026 breach.
- Contact your state legislator if you receive no clear answer — public agency transparency on a 3,340-person breach is reasonable to expect.
- Stop the ongoing flow of your state health-program data. HealthConsent files HIPAA restriction requests covering state Medicaid and public health pathways.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS OCR Breach Portal
- Iowa HHS Data Breach Notifications Page (no January 2026 entry as of 2026-05-15)
- Iowa AG 2026 Security Breach Notifications (no Iowa HHS entry as of 2026-05-15)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.