Active breach tracker Iowa City, Iowa Disclosed August 29, 2025

University of Iowa Health Care Data Breach 2025: 101,875 Affected · UI Community HomeCare Network Intrusion · Class Actions Filed

University of Iowa Health Care (UIHC), the academic medical center in Iowa City, filed a HIPAA breach notification with HHS OCR on August 29, 2025 reporting 101,875 affected individuals. The filing is the UIHC half of a single July 3, 2025 network intrusion at affiliate UI Community HomeCare; a parallel OCR entry for UI Community Home Care covers an additional 109,029 individuals, for a combined population the entity describes as approximately 211,000. At least eight class actions have been filed.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 3, 2025

Unauthorized actor accesses UI Community HomeCare computer systems; the affiliate shares some patient, employee, and data files with UIHC.

Jul 3, 2025

Intrusion detected the same day; servers shut down and a third-party cybersecurity team engaged. Systems restored within one business day.

Aug 29, 2025

UI Health Care mails written notifications to affected individuals and files paired HIPAA breach reports with HHS OCR — 101,875 under University of Iowa Health Care and 109,029 under University of Iowa Community Home Care. UI Community HomeCare also files breach notifications with attorneys general in at least 13 states including Iowa, California, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington.

Aug 29, 2025

Disclosed publicly

Sep 12, 2025

By mid-September 2025, at least eight putative class actions have been filed against UIHC, UI Community HomeCare, and UI Community Medical Services.

Sep 17, 2025

Counsel moves to consolidate all eight related actions before Iowa courts and seeks appointment of co-lead attorneys, citing that each action arises from the same July 3, 2025 cybersecurity incident.

Nov 11, 2025

ClassAction.org marks its investigation into this breach as complete.

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical record number

03

Contact & insurance

Phishing + targeted scams

Name Address Phone number Provider name Type of visit Date(s) of service Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (investigating) Schubert Jonckheer & Kolbe LLP (investigating) Lynch Carpenter LLP (investigating) Morgan & Morgan (investigating) Markovits, Stock & DeMarco, LLC (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

University of Iowa Health Care filed a HIPAA breach notification with HHS OCR on August 29, 2025 reporting 101,875 affected individuals in a Hacking/IT Incident at a Network Server. This filing is the UIHC half of a single intrusion: on the same day, the system’s home-infusion and home-medical-equipment affiliate filed a separate report for 109,029 individuals as University of Iowa Community Home Care. The combined population — which UIHC describes publicly as “approximately 211,000” — reflects the two covered entities sharing some patients, employees, and data files even though they operate distinct EHR and IT systems.

Timeline

  • July 3, 2025 — Access and detection. An unauthorized actor accessed UI Community HomeCare’s computer systems. UIHC says the intrusion was identified the same day; servers were shut down, an outside cybersecurity firm was retained, and systems were restored within one business day. UIHC’s own electronic health record system was not breached, but file repositories shared with the affiliate were within scope.
  • August 29, 2025 — Notification. UI Health Care mailed individual notification letters and filed paired HHS OCR breach reports — one for UIHC (101,875) and one for UI Community Home Care (109,029). UIHC’s substitute notice was published the same day at uihc.org.
  • Mid-September 2025 — Litigation. Within roughly two weeks of notice, at least eight putative class actions had been filed naming UIHC, UI Community HomeCare, and UI Community Medical Services as defendants. On September 17, 2025, counsel formally moved to consolidate all eight actions and seek appointment of co-lead attorneys, citing that each action arises from the same incident.
  • November 11, 2025 — Investigation closed. ClassAction.org updated its tracker to note that its investigation into the UI Community HomeCare breach was complete.

What was exposed

Per UIHC’s own substitute notice, the files accessed during the intrusion contained patient information that varied by individual and may have included:

  • Name, date of birth, address, phone number
  • Medical record number, provider name, type of visit, date(s) of service
  • Health insurance information

There is an important distinction between the two OCR filings. UIHC’s public FAQ at uihc.org states: “We have no indication that Social Security numbers were included in the files that were compromised” — that statement applies to the UIHC-side files. The UI Community HomeCare notification letter (reproduced in the uihealthcare.org press release) uses broader language and lists SSN as a data element that “may have been seen and taken.” Several plaintiff-firm investigation pages and state-AG-filing aggregators confirm SSN as exposed for the combined population. If your notification letter came from UI Community HomeCare rather than directly from UIHC, treat SSN as potentially in scope and act accordingly. The UIHC FAQ is the controlling source for the UIHC-specific population.

UI Community HomeCare serves individuals in Iowa, western Illinois, and northern Missouri. The organization filed breach notifications with at least 13 state attorneys general, including California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington.

What UIHC is offering

UIHC is not offering complimentary credit-monitoring or identity-theft protection in connection with this incident, citing no indication that the accessed information has been misused. The substitute notice instead directs recipients to:

  • Place a fraud alert (one-year or seven-year extended) or a credit freeze with the three nationwide credit bureaus.
  • Pull free annual credit reports through annualcreditreport.com.
  • Call the UI Health Care toll-free helpline at 833-745-0871, Monday through Friday, 8 a.m. to 8 p.m. Central.

Class-action posture

At least eight putative class actions have been filed in Iowa over this incident, naming University of Iowa Health Care, UI Community HomeCare, and UI Community Medical Services as defendants. Core allegations track typical hospital data-breach pleadings: negligence, breach of implied contract or fiduciary duty, and unjust enrichment, with particular emphasis on the gap between July 3, 2025 detection and August 29, 2025 notice. On September 17, 2025, counsel moved to consolidate all eight related actions and requested appointment of co-lead attorneys. Firms publicly confirmed to be investigating or pursuing claims include Federman & Sherwood, Schubert Jonckheer & Kolbe LLP, Lynch Carpenter LLP, Morgan & Morgan, and Markovits, Stock & DeMarco, LLC. ClassAction.org noted its own investigation was complete as of November 11, 2025.

It is worth noting that UI Community HomeCare experienced a prior data breach in 2023 (detected March 23, 2023, affecting 67,897 individuals), for which Markovits, Stock & DeMarco also investigated claims. The recurrence of security incidents at this affiliate strengthens negligence arguments in the 2025 litigation.

What to do

  1. Check your notification letter carefully. The letter specifies whether it comes from UIHC or UI Community HomeCare. The data in scope differs: UIHC’s FAQ states no SSN on its side; the HomeCare population may include SSN. Your individual letter controls.
  2. Freeze your credit with Equifax, Experian, and TransUnion. It is free, reversible, and the single highest-leverage step against new-account fraud. This is especially important here because UIHC is not providing complimentary monitoring.
  3. File IRS Form 14039 if your notification letter confirms SSN exposure. This flags your account for added scrutiny against fraudulent tax refunds. Contact: 1-800-908-4490.
  4. Watch your EOBs and patient portal. Medical-identity misuse typically appears as unfamiliar visits or claims rather than credit-card fraud. Report anomalies directly to UIHC patient billing.
  5. Call the dedicated helpline. The UI Health Care toll-free number is 833-745-0871, available Monday through Friday, 8 a.m. to 8 p.m. Central.
  6. Be cautious about plaintiff-firm outreach. Multiple firms are advertising for class members. You retain the right to participate in any certified class regardless of which firm contacts you first; you do not need to retain individual counsel to preserve class-member status.
  7. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests so the treatment and insurance information exposed in this breach is not continuously re-shared across health information exchanges, payers, and affiliated health networks.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

Sources & further reading

Official HHS OCR Breach Portal: ocrportal.hhs.gov

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.