University of Iowa Health Care Data Breach 2025: 101,875 Affected · UI Community HomeCare Network Intrusion · Class Actions Filed
University of Iowa Health Care (UIHC), the academic medical center in Iowa City, filed a HIPAA breach notification with HHS OCR on August 29, 2025 reporting 101,875 affected individuals. The filing is the UIHC half of a single July 3, 2025 network intrusion at affiliate UI Community HomeCare; a parallel OCR entry for UI Community Home Care covers an additional 109,029 individuals, for a combined population the entity describes as approximately 211,000. At least eight class actions have been filed.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 3, 2025
Unauthorized actor accesses UI Community HomeCare computer systems; the affiliate shares some patient, employee, and data files with UIHC.
Jul 3, 2025
Intrusion detected the same day; servers shut down and a third-party cybersecurity team engaged. Systems restored within one business day.
Aug 29, 2025
UI Health Care mails written notifications to affected individuals and files paired HIPAA breach reports with HHS OCR — 101,875 under University of Iowa Health Care and 109,029 under University of Iowa Community Home Care. UI Community HomeCare also files breach notifications with attorneys general in at least 13 states including Iowa, California, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington.
Aug 29, 2025
Disclosed publicly
Sep 12, 2025
By mid-September 2025, at least eight putative class actions have been filed against UIHC, UI Community HomeCare, and UI Community Medical Services.
Sep 17, 2025
Counsel moves to consolidate all eight related actions before Iowa courts and seeks appointment of co-lead attorneys, citing that each action arises from the same July 3, 2025 cybersecurity incident.
Nov 11, 2025
ClassAction.org marks its investigation into this breach as complete.
Jul 3, 2025
Unauthorized actor accesses UI Community HomeCare computer systems; the affiliate shares some patient, employee, and data files with UIHC.
Jul 3, 2025
Intrusion detected the same day; servers shut down and a third-party cybersecurity team engaged. Systems restored within one business day.
Aug 29, 2025
UI Health Care mails written notifications to affected individuals and files paired HIPAA breach reports with HHS OCR — 101,875 under University of Iowa Health Care and 109,029 under University of Iowa Community Home Care. UI Community HomeCare also files breach notifications with attorneys general in at least 13 states including Iowa, California, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington.
Aug 29, 2025
Disclosed publicly
Sep 12, 2025
By mid-September 2025, at least eight putative class actions have been filed against UIHC, UI Community HomeCare, and UI Community Medical Services.
Sep 17, 2025
Counsel moves to consolidate all eight related actions before Iowa courts and seeks appointment of co-lead attorneys, citing that each action arises from the same July 3, 2025 cybersecurity incident.
Nov 11, 2025
ClassAction.org marks its investigation into this breach as complete.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
University of Iowa Health Care filed a HIPAA breach notification with HHS OCR on August 29, 2025 reporting 101,875 affected individuals in a Hacking/IT Incident at a Network Server. This filing is the UIHC half of a single intrusion: on the same day, the system’s home-infusion and home-medical-equipment affiliate filed a separate report for 109,029 individuals as University of Iowa Community Home Care. The combined population — which UIHC describes publicly as “approximately 211,000” — reflects the two covered entities sharing some patients, employees, and data files even though they operate distinct EHR and IT systems.
Timeline
- July 3, 2025 — Access and detection. An unauthorized actor accessed UI Community HomeCare’s computer systems. UIHC says the intrusion was identified the same day; servers were shut down, an outside cybersecurity firm was retained, and systems were restored within one business day. UIHC’s own electronic health record system was not breached, but file repositories shared with the affiliate were within scope.
- August 29, 2025 — Notification. UI Health Care mailed individual notification letters and filed paired HHS OCR breach reports — one for UIHC (101,875) and one for UI Community Home Care (109,029). UIHC’s substitute notice was published the same day at uihc.org.
- Mid-September 2025 — Litigation. Within roughly two weeks of notice, at least eight putative class actions had been filed naming UIHC, UI Community HomeCare, and UI Community Medical Services as defendants. On September 17, 2025, counsel formally moved to consolidate all eight actions and seek appointment of co-lead attorneys, citing that each action arises from the same incident.
- November 11, 2025 — Investigation closed. ClassAction.org updated its tracker to note that its investigation into the UI Community HomeCare breach was complete.
What was exposed
Per UIHC’s own substitute notice, the files accessed during the intrusion contained patient information that varied by individual and may have included:
- Name, date of birth, address, phone number
- Medical record number, provider name, type of visit, date(s) of service
- Health insurance information
There is an important distinction between the two OCR filings. UIHC’s public FAQ at uihc.org states: “We have no indication that Social Security numbers were included in the files that were compromised” — that statement applies to the UIHC-side files. The UI Community HomeCare notification letter (reproduced in the uihealthcare.org press release) uses broader language and lists SSN as a data element that “may have been seen and taken.” Several plaintiff-firm investigation pages and state-AG-filing aggregators confirm SSN as exposed for the combined population. If your notification letter came from UI Community HomeCare rather than directly from UIHC, treat SSN as potentially in scope and act accordingly. The UIHC FAQ is the controlling source for the UIHC-specific population.
UI Community HomeCare serves individuals in Iowa, western Illinois, and northern Missouri. The organization filed breach notifications with at least 13 state attorneys general, including California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington.
What UIHC is offering
UIHC is not offering complimentary credit-monitoring or identity-theft protection in connection with this incident, citing no indication that the accessed information has been misused. The substitute notice instead directs recipients to:
- Place a fraud alert (one-year or seven-year extended) or a credit freeze with the three nationwide credit bureaus.
- Pull free annual credit reports through annualcreditreport.com.
- Call the UI Health Care toll-free helpline at 833-745-0871, Monday through Friday, 8 a.m. to 8 p.m. Central.
Class-action posture
At least eight putative class actions have been filed in Iowa over this incident, naming University of Iowa Health Care, UI Community HomeCare, and UI Community Medical Services as defendants. Core allegations track typical hospital data-breach pleadings: negligence, breach of implied contract or fiduciary duty, and unjust enrichment, with particular emphasis on the gap between July 3, 2025 detection and August 29, 2025 notice. On September 17, 2025, counsel moved to consolidate all eight related actions and requested appointment of co-lead attorneys. Firms publicly confirmed to be investigating or pursuing claims include Federman & Sherwood, Schubert Jonckheer & Kolbe LLP, Lynch Carpenter LLP, Morgan & Morgan, and Markovits, Stock & DeMarco, LLC. ClassAction.org noted its own investigation was complete as of November 11, 2025.
It is worth noting that UI Community HomeCare experienced a prior data breach in 2023 (detected March 23, 2023, affecting 67,897 individuals), for which Markovits, Stock & DeMarco also investigated claims. The recurrence of security incidents at this affiliate strengthens negligence arguments in the 2025 litigation.
What to do
- Check your notification letter carefully. The letter specifies whether it comes from UIHC or UI Community HomeCare. The data in scope differs: UIHC’s FAQ states no SSN on its side; the HomeCare population may include SSN. Your individual letter controls.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, reversible, and the single highest-leverage step against new-account fraud. This is especially important here because UIHC is not providing complimentary monitoring.
- File IRS Form 14039 if your notification letter confirms SSN exposure. This flags your account for added scrutiny against fraudulent tax refunds. Contact: 1-800-908-4490.
- Watch your EOBs and patient portal. Medical-identity misuse typically appears as unfamiliar visits or claims rather than credit-card fraud. Report anomalies directly to UIHC patient billing.
- Call the dedicated helpline. The UI Health Care toll-free number is 833-745-0871, available Monday through Friday, 8 a.m. to 8 p.m. Central.
- Be cautious about plaintiff-firm outreach. Multiple firms are advertising for class members. You retain the right to participate in any certified class regardless of which firm contacts you first; you do not need to retain individual counsel to preserve class-member status.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests so the treatment and insurance information exposed in this breach is not continuously re-shared across health information exchanges, payers, and affiliated health networks.
Continue reading
- Your HIPAA rights — what you can restrict and how
- University of Iowa Community Home Care Data Breach 2025 (parallel OCR filing, 109,029 individuals)
- All tracked healthcare breaches
Sources
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- UIHC official substitute notice (uihc.org) — entity’s own description of timeline, exposed data elements, and remediation guidance, including the SSN FAQ.
- UI Health Care press release (uihealthcare.org) — institutional confirmation of paired notification and sample notification letter text.
- HIPAA Journal — UI Community HomeCare Hacking Incident Affects 211,000 Patients — trade-press synthesis of the combined population.
- KCRG (CBS Cedar Rapids) — 211,000 affected — local broadcast confirmation of the joint disclosure.
- CBS2 Iowa — patient information leaked after breach at UIHC affiliate — local press confirmation of scope and affiliate relationship.
- ClassAction.org — UI Community HomeCare Data Breach lawsuit tracker — class-action filings index; investigation noted complete November 11, 2025.
- Federman & Sherwood — UIHC breach investigation — plaintiff-firm investigation naming UIHC.
- Schubert Jonckheer & Kolbe — UIHC and UI Community HomeCare investigation — names both entities; lists SSN among exposed elements for the combined population.
- Lynch Carpenter — UI Community HomeCare Data Breach Claims Investigated — additional plaintiff-firm investigation.
- Morgan & Morgan — University of Iowa Community HomeCare Data Breach — additional plaintiff-firm investigation page.
- ClaimDepot — UI Community HomeCare multi-state AG filing tracker — confirms filings with 13+ state attorneys general.
- The Gazette — Eight class-action lawsuits filed against UI Health Care, HomeCare over data breach — local press reporting on the eight suits and September 17, 2025 consolidation motion.
- The Daily Iowan — UIHC responds to UI Community HomeCare data security incident — University of Iowa campus press coverage of the August 29, 2025 disclosure.
- Top Class Actions — UI Community HomeCare data breach affects 211,000 patients — consumer litigation tracker confirming class action posture.
- Markovits, Stock & DeMarco — UI Community HomeCare Data Breach Class Action Investigation — fifth plaintiff firm publicly investigating claims; same firm also investigated the entity’s 2023 breach.
- WQAD — Data breach impacts University of Iowa Community Home Care users — Quad Cities local television coverage confirming breach scope and multi-state patient footprint.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- UIHC official notice — Information on UI Community HomeCare data privacy event
- UI Health Care press release — UI Community HomeCare and UI Health Care notify individuals potentially impacted by data incident
- HIPAA Journal — UI Community HomeCare Hacking Incident Affects 211,000 Patients
- KCRG — Data compromised for roughly 211,000 people with UIHC, UI Community HomeCare
- CBS2 Iowa — Information of over 200,000 patients leaked after data breach at UIHC affiliate
- ClassAction.org — University of Iowa Community HomeCare Data Breach lawsuit tracker
- Federman & Sherwood — University of Iowa Health Care (UIHC) Data Breach investigation
- Schubert Jonckheer & Kolbe — University of Iowa Health Care and UI Community HomeCare investigation
- Lynch Carpenter — UI Community HomeCare Data Breach Claims Investigated
- Morgan & Morgan — University of Iowa Community HomeCare Data Breach investigation
- ClaimDepot — UI Community HomeCare Data Breach multi-state AG filing tracker
- The Gazette — Eight class-action lawsuits filed against UI Health Care, HomeCare over data breach
- The Daily Iowan — UIHC responds to UI Community HomeCare data security incident
- Top Class Actions — UI Community HomeCare data breach affects 211,000 patients
- Markovits, Stock & DeMarco — UI Community HomeCare Data Breach Class Action Investigation
- WQAD — Data breach impacts University of Iowa Community Home Care users
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.