Cyber Incident Victim: Peoples Community Health Clinic

Peoples Community Health Clinic (PCHC) in Iowa discovered suspicious activity involving an employee’s email account on March 22, 2021. An investigation determined that unauthorized access to the account occurred between March 18 and March 22, 2021. The clinic could not confirm which specific data within the email account was accessed by the unauthorized individual during this four-day period. PCHC engaged external resources to analyze the compromised account’s contents, a process that extended until May 24, 2021, when investigators completed cataloging all types of information and identifying affected patients. The clinic’s public statement emphasized no evidence of actual or attempted misuse of patient information had been found at the time of notification.

The scope of potentially exposed data included names, addresses, Social Security numbers, dates of birth, driver’s license or state identification numbers, medical diagnoses and treatment details, health insurance information, payment card numbers, and card CVV/expiration dates. PCHC initiated patient notifications following the completion of the forensic review in May, though the exact number of affected individuals was not disclosed in available sources. A correction was issued regarding an initial press release error that incorrectly associated the incident with the unrelated Netgain Technology ransomware breach; PCHC clarified this was a drafting mistake and confirmed no connection to Netgain’s systems or prior incidents. The clinic did not describe technical containment measures but indicated ongoing coordination with legal counsel and external cybersecurity professionals throughout the investigation. No operational disruptions or financial impacts beyond notification efforts were reported in the disclosed information.