Cyber Incident Victim: Iowa Veterans Home

In February 2017, the Iowa Veterans Home (IVH) experienced a data security incident stemming from phishing email campaigns targeting Google and the State of Iowa. Three IVH employees fell victim to these phishing attempts and disclosed their login credentials, enabling unauthorized access to their institutional email accounts. The Office of the Chief Information Officer (OCIO) and IVH jointly coordinated incident response efforts, recovering compromised systems and implementing additional security measures to prevent recurrence. While officials confirmed the breach of employee credentials, they stated no evidence indicated the attacker actually accessed the email accounts before IVH blocked further intrusion attempts. The organizations did not publicly disclose technical details regarding the phishing methods, duration of account exposure, or specific containment procedures beyond collaborative recovery actions.

As a precautionary measure despite lacking confirmed data exfiltration, IVH notified approximately 2,969 current and former residents and applicants whose personal information resided in potentially accessible systems. Compromised data types included names, mailing addresses, phone numbers, medical information, and Social Security numbers. IVH established a dedicated toll-free helpline (1-800-645-4591) and directed inquiries to its official website while advising affected individuals to monitor credit reports through AnnualCreditReport.com or 877-322-8228. The notification recommended contacting Iowa’s Attorney General’s Consumer Protection Division or local law enforcement for suspected identity theft incidents. Public statements emphasized proactive disclosure due to the sensitivity of veteran health and identification records, though no fraudulent use of data was substantiated following investigation.