University of Iowa Community HomeCare Data Breach 2025: 109,029 Reported to HHS OCR After July 3 Network Intrusion (UIHC Notified ~211,000 in Total)
UI Community HomeCare detected unauthorized access to its network on July 3, 2025 and mailed notification letters on August 29, 2025. The HHS OCR portal lists 109,029 individuals under UICHC's entry; the combined UI Health Care and UICHC notification population is approximately 211,000. SSNs, medical record numbers, and insurance data were potentially exposed. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 3, 2025
Unauthorized actor accesses UI Community HomeCare's computer systems; servers shut down the same day
Jul 3, 2025
UICHC detects the intrusion and engages outside cybersecurity experts; systems safely restored within one business day
Aug 29, 2025
UI Community HomeCare and UI Health Care mail written notifications to approximately 211,000 affected individuals
Aug 29, 2025
Disclosed publicly
Sep 2, 2025
Lynch Carpenter LLP announces class-action investigation
Sep 10, 2025
First patient class-action complaint filed in Johnson County District Court (Iowa), alleging delayed notification
Sep 17, 2025
Federman & Sherwood announces parallel class-action investigation
Nov 11, 2025
Eight class-action lawsuits on file in Iowa state court against UIHC, UICHC, and UI Community Medical Services; judge denies initial consolidation motion pending service of process
Jul 3, 2025
Unauthorized actor accesses UI Community HomeCare's computer systems; servers shut down the same day
Jul 3, 2025
UICHC detects the intrusion and engages outside cybersecurity experts; systems safely restored within one business day
Aug 29, 2025
UI Community HomeCare and UI Health Care mail written notifications to approximately 211,000 affected individuals
Aug 29, 2025
Disclosed publicly
Sep 2, 2025
Lynch Carpenter LLP announces class-action investigation
Sep 10, 2025
First patient class-action complaint filed in Johnson County District Court (Iowa), alleging delayed notification
Sep 17, 2025
Federman & Sherwood announces parallel class-action investigation
Nov 11, 2025
Eight class-action lawsuits on file in Iowa state court against UIHC, UICHC, and UI Community Medical Services; judge denies initial consolidation motion pending service of process
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Iowa City-based University of Iowa Community HomeCare (UICHC) is a full-service home infusion and durable medical equipment provider affiliated with University of Iowa Hospitals & Clinics. It serves patients across Iowa, western Illinois, and northern Missouri, including individuals receiving chemotherapy, IV therapy, tube feedings, and respiratory services at home. While UICHC and UI Health Care operate separate systems, they have historically shared patients, employees, and data files.
On July 3, 2025, an unauthorized actor accessed UICHC’s computer systems. UICHC detected the intrusion the same day, shut down its servers, and engaged outside cybersecurity experts. Systems were safely restored within one business day. The investigation confirmed the cybercriminal was able to see and copy data files stored in the affected environment, including files belonging to UICHC patients and a subset of UI Health Care patients whose records were stored on the same systems. Electronic health records were not compromised.
The HHS Office for Civil Rights breach portal lists 109,029 individuals under UICHC’s submission (filed August 29, 2025). UI Health Care’s combined public notification population totals approximately 211,000 people across both entities. Notifications were mailed August 29, 2025; a substitute notice was posted on uihc.org and uicommunityhomecare.org for those who may not receive a letter.
This is the second major network breach at UI Community HomeCare in two years. In March 2023, an unauthorized actor accessed UICHC servers beginning on or about March 23, 2023, exposing records for 67,897 patients and 214 employees. That incident was reported to HHS OCR in May 2023. The 2025 breach is substantially larger in scope and, unlike the 2023 event, affected SSNs for a broader subset of the patient population. Plaintiffs in the current class actions point to the 2023 incident as evidence that UICHC had notice of its security vulnerabilities and failed to remediate them adequately.
What was stolen
Per UI Health Care’s official notice, the data elements involved vary by individual and may include:
- Full name
- Date of birth
- Address and phone number
- Medical record number
- Provider name and type of visit
- Date(s) of service
- Health insurance information
- Social Security number
UI Health Care states electronic medical records were not compromised. Because HIPAA continues to protect a deceased individual’s PHI for 50 years, UICHC is also notifying next of kin where applicable.
No threat actor has claimed public responsibility for this incident. No ransomware group has posted UICHC data on known leak sites as of this writing.
What UICHC is offering
UI Community HomeCare states it has “no indication that your or your loved one’s information has been misused” and is not offering complimentary credit monitoring at this time. The notice instead directs affected individuals to:
- Obtain free annual credit reports from each of the three nationwide bureaus
- Place a fraud alert or security freeze with the bureaus directly
- Call UICHC’s dedicated toll-free line at 833-745-0871, Monday through Friday, 8 a.m. to 8 p.m. Central Time (excluding major U.S. holidays) with questions
The absence of credit monitoring has been a focal point for class-action plaintiffs, who argue that a large health system with a prior 2023 breach should have offered monitoring to affected patients.
Class actions
As of late 2025, eight putative class-action lawsuits have been filed in Johnson County District Court (Iowa state court) naming UIHC, UI Community HomeCare, and UI Community Medical Services as defendants. The complaints allege that on July 3, 2025 UICHC’s systems were accessed by an unauthorized actor who exfiltrated sensitive PII and PHI, and that UICHC delayed patient notification by nearly two months in violation of state and federal disclosure obligations. A judge initially denied a motion to consolidate the cases on the procedural ground that the defendants had not been served; the motion may be refiled following service.
Federman & Sherwood, Schubert Jonckheer & Kolbe, Lynch Carpenter, and Morgan & Morgan have publicly announced investigations and solicited additional class members. ClassAction.org attorneys have completed their intake investigation (as of late 2025). The HHS Office for Civil Rights investigation tied to the 109,029-person OCR submission remains open.
Iowa AG: UICHC did not file a security breach notification with the Iowa Attorney General’s Office for the 2025 incident, consistent with its practice in 2023. Iowa Code Chapter 715C requires notification only when specific data elements (financial account numbers and associated access codes, or SSNs combined with financial data) meet the statutory definition. Because UICHC’s breach notification framework differs from Iowa’s statutory trigger, the Iowa AG portal does not carry a separate UICHC entry for either the 2023 or 2025 events.
What to do
Social Security numbers were potentially exposed for some affected individuals. Treat this as a high-severity exposure and stack defenses:
- Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud at the source. This is the single highest-leverage step when SSNs are in play.
- Pull your free annual credit reports at AnnualCreditReport.com and review for accounts or inquiries you do not recognize.
- File IRS Form 14039 (Identity Theft Affidavit) if you see a rejected tax return or suspicious IRS correspondence.
- Request an Identity Protection PIN (IP PIN) from the IRS for your federal returns at irs.gov/ippin to prevent fraudulent filings under your SSN.
- Watch for medical identity theft. Request copies of any Explanation of Benefits from your health insurer and verify the claims listed are services you actually received. Report unrecognized claims to the insurer and to HHS OCR.
- Be skeptical of phone, text, and email outreach claiming to be from UICHC or UI Health Care. Threat actors often follow large healthcare breaches with targeted phishing. UICHC will not ask for your full SSN or financial account details by phone to “verify” your record.
- Call the UICHC hotline at 833-745-0871 with breach-specific questions, and keep your notification letter. It documents the exposure window for any later identity-theft claim.
- Stop the ongoing flow of your home-health data. HealthConsent files HIPAA restriction requests so the home infusion, medical equipment, and clinical visit data exposed in this breach is not continuously re-shared across insurance networks, data brokers, and affiliated health system partners.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- UI Health Care — Information on UI Community HomeCare data privacy event (official notice)
- UI Health Care newsroom — UI Community HomeCare and UI Health Care notify individuals potentially impacted by data incident
- HIPAA Journal — UI Community HomeCare Hacking Incident Affects 211,000 Patients
- HIPAA Journal — August 2025 Healthcare Data Breach Report
- HHS Office for Civil Rights Breach Portal
- KCRG — Data compromised for roughly 211,000 people with UIHC / University of Iowa Community HomeCare
- The Daily Iowan — UIHC responds to UI Community HomeCare data security incident
- The Gazette — Eight class-action lawsuits filed against UI Health Care, HomeCare over data breach
- Federman & Sherwood — University of Iowa Community Home Care (UICH) Data Breach Investigation
- Lynch Carpenter LLP — Investigates Claims in UI Community HomeCare Data Breach (GlobeNewswire)
- Schubert Jonckheer & Kolbe — UI Community HomeCare investigation
- Morgan & Morgan — University of Iowa Community HomeCare Data Breach Impacts 211,000 Patients
- Iowa Attorney General — 2023 UICHC breach notification letter (prior incident, March 2023)
- ClassAction.org — UI Community HomeCare Data Breach investigation (completed)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.