A July 2024 data breach at UI HomeCare, a University of Iowa Health Care affiliate, exposed sensitive personal and medical data of over 211,000 patients. The breach, attributed to a cybercriminal, compromised names, dates of birth, Social Security numbers, health insurance details, provider information, and medical visit types. While UI Health Care claimed no evidence of misuse, patients reported increased spam calls, anxiety, sleep disruption, and fear of long-term identity theft. The breach was disclosed nearly two months later, sparking outrage and eight class-action lawsuits alleging negligence, privacy invasion, and failure to meet FTC security standards. Plaintiffs seek financial restitution, citing lifelong risks from the exposure of highly sensitive health and financial data. The incident underscored vulnerabilities in healthcare cybersecurity, with no arrests made to date.
TPRM report: https://www.rankiteo.com/company/university-of-iowa-health-care
"id": "uni3402134101025",
"linkid": "university-of-iowa-health-care",
"type": "Breach",
"date": "7/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '211,000',
'industry': 'Healthcare',
'location': 'Iowa, USA',
'name': 'University of Iowa HomeCare',
'type': 'Healthcare Provider'}],
'customer_advisories': ['Letters sent to impacted patients urging vigilance '
'against identity theft'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '211,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII and PHI)',
'type_of_data_compromised': ['Names',
'Dates of birth',
'Social Security numbers',
'Health insurance information',
'Health care providers',
'Types of medical visits']},
'date_detected': '2024-07-03',
'date_publicly_disclosed': '2024-08-29',
'description': 'A cybercriminal gained unauthorized access to data systems at '
'University of Iowa HomeCare, a full-service home infusion and '
'medical equipment services provider, potentially compromising '
'sensitive medical and personal information of over 200,000 '
'patients. The breach was detected in July 2024 and publicly '
'disclosed in late August 2024. Eight class-action lawsuits '
'have been filed by affected patients, alleging negligence, '
'invasion of privacy, and increased risk of identity theft and '
'fraud. Plaintiffs also expressed outrage over the nearly '
'two-month delay in notification.',
'impact': {'brand_reputation_impact': True,
'customer_complaints': True,
'data_compromised': True,
'identity_theft_risk': True,
'legal_liabilities': True,
'systems_affected': ['University of Iowa HomeCare data systems']},
'initial_access_broker': {'high_value_targets': ['Patient PII and PHI']},
'investigation_status': 'Ongoing (no arrests made)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Alleged failure to adhere to FTC '
'guidelines and industry standards',
'Delay in breach notification (~2 '
'months)']},
'references': [{'source': 'Press-Citizen'},
{'source': 'University of Iowa Health Care public statement '
'(August 29, 2024)'},
{'source': 'Class-action lawsuit filings (2024)'}],
'regulatory_compliance': {'legal_actions': ['Eight class-action lawsuits '
'filed (alleging negligence, per '
'se negligence, breach of implied '
'contract, invasion of privacy)',
'Plaintiffs seeking financial '
'restitution and damages',
'Jury trial requested'],
'regulations_violated': ['Potential violation of '
'U.S. Federal Trade '
'Commission (FTC) '
'guidelines',
'Industry standards for '
'healthcare data '
'security']},
'response': {'communication_strategy': ['Public announcement in late August '
'2024',
'Letters to impacted patients'],
'recovery_measures': ['Patient notification letters',
'Advisories to monitor credit reports and '
'bank statements']},
'stakeholder_advisories': ['Patients advised to monitor credit reports and '
'bank statements for fraudulent activity'],
'threat_actor': 'Cybercriminal (unknown)',
'title': 'Data Breach at University of Iowa HomeCare (UI Health Care '
'Affiliate)',
'type': ['Data Breach', 'Unauthorized Access']}