Iowa HHS Exposes Limited Medicaid Data in Website Error
On February 20, 2026, the Iowa Department of Health and Human Services (HHS) discovered that a file containing Medicaid subscriber information had been mistakenly posted to its public website four days earlier, on February 16. The file, which was promptly removed, included Medicaid subscriber IDs, associated waiver program names, and assessment dates for eligibility but no names, addresses, or other personal or health details.
A total of 6,717 individuals were affected by the exposure. As a precaution, Iowa HHS is notifying impacted subscribers and has issued a public notice on its website. The department has also implemented additional staff training and is reviewing internal processes to prevent similar incidents in the future.
While the exposed data did not include sensitive personal information, individuals are advised they may request free credit reports or place a credit freeze through standard channels. Those suspecting identity theft are directed to contact local law enforcement or Iowa’s Consumer Protection Division.
Source: https://westerniowatoday.com/2026/04/13/data-breach-impacts-some-medicaid-members/
Iowa Department of Health and Human Services cybersecurity rating report: https://www.rankiteo.com/company/iowahhs
"id": "IOW1776141104",
"linkid": "iowahhs",
"type": "Breach",
"date": "4/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '6717',
'industry': 'Healthcare',
'location': 'Iowa, USA',
'name': 'Iowa Department of Health and Human Services '
'(HHS)',
'type': 'Government Agency'}],
'attack_vector': 'Human Error',
'customer_advisories': 'Impacted subscribers notified; advised to request '
'free credit reports or place a credit freeze if '
'concerned',
'data_breach': {'number_of_records_exposed': '6717',
'personally_identifiable_information': 'Medicaid subscriber '
'IDs',
'sensitivity_of_data': 'Low (no names, addresses, or '
'personal/health details)',
'type_of_data_compromised': 'Medicaid subscriber information'},
'date_detected': '2026-02-20',
'date_publicly_disclosed': '2026-02-20',
'description': 'On February 20, 2026, the Iowa Department of Health and Human '
'Services (HHS) discovered that a file containing Medicaid '
'subscriber information had been mistakenly posted to its '
'public website four days earlier, on February 16. The file, '
'which was promptly removed, included Medicaid subscriber IDs, '
'associated waiver program names, and assessment dates for '
'eligibility but no names, addresses, or other personal or '
'health details.',
'impact': {'brand_reputation_impact': 'Potential',
'data_compromised': 'Medicaid subscriber IDs, waiver program '
'names, assessment dates',
'identity_theft_risk': 'Low',
'systems_affected': 'Public website'},
'investigation_status': 'Completed',
'lessons_learned': 'Need for improved internal processes and staff training '
'to prevent accidental data exposure',
'post_incident_analysis': {'corrective_actions': 'Additional staff training, '
'review of internal '
'processes',
'root_causes': 'Human error leading to accidental '
'posting of sensitive file on '
'public website'},
'recommendations': 'Implement stricter access controls, conduct regular '
'audits of public-facing systems, and enhance staff '
'training on data handling procedures',
'references': [{'source': 'Iowa HHS Public Notice'}],
'response': {'communication_strategy': 'Public notice on website, '
'notifications to impacted subscribers',
'containment_measures': 'File removed from public website',
'remediation_measures': 'Additional staff training, review of '
'internal processes'},
'title': 'Iowa HHS Exposes Limited Medicaid Data in Website Error',
'type': 'Data Exposure'}