Cyber Incident Victim: University of Iowa Health System - Community HomeCare
Date:
Mar 2023
Location:
United States of America
Summary
A healthcare provider experienced a cybersecurity incident involving unauthorized network access and file encryption, compromising sensitive data of over 67,000 individuals. The breached information included names, birth dates, contact details, medical record numbers, treatment histories, diagnoses, insurance information, billing records, and physician referrals. The organization confirmed the intrusion through an internal investigation and subsequently notified affected consumers while filing required regulatory disclosures. As a subsidiary of a major regional health system, the provider offers home-based medical services including equipment delivery and infusion therapy across numerous clinical locations. The incident underscores risks associated with storing highly sensitive patient data targeted by malicious actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 23, 2023, UI Community HomeCare, a subsidiary of the University of Iowa Health System, identified a cybersecurity incident when certain files on its computer systems were encrypted. The organization immediately initiated an internal investigation to determine the scope and cause of the unauthorized activity. The investigation confirmed that an unauthorized third party had gained access to the company's network on the same date. The compromised files contained sensitive personal and protected health information belonging to individuals under the company's care. UI Community HomeCare undertook a detailed review of the affected data to ascertain the specific information exposed and identify impacted individuals. The analysis revealed that the unauthorized party potentially accessed names, dates of birth, addresses, phone numbers, medical record numbers, referring physician details, dates of service, health insurance information, billing and claims data, medical histories, diagnoses, and treatment information. The incident did not initially disclose the exact method of network infiltration or the duration of unauthorized access prior to detection, though the encryption event triggered the investigative response. At this stage, UI Community HomeCare did not publicly attribute the incident to a specific threat actor or group.
UI Community HomeCare confirmed the breach affected 67,897 individuals and filed a formal notice with the U.S. Department of Health and Human Services Office for Civil Rights on May 24, 2023. The organization concurrently dispatched individualized data breach notifications via mail to all affected parties, informing them of the compromised data categories and advising vigilance against potential identity theft or fraud. No evidence suggested direct misuse of the exposed information at the time of notification. The parent organization, University of Iowa Health System—a major Iowa-based healthcare provider operating over 250 specialty clinics with 16,500 employees and $1.8 billion in annual revenue—publicly acknowledged the incident through UI Community HomeCare’s regulatory filings and website notices. The breach impacted specific files related to home healthcare services, including durable medical equipment delivery and infusion therapy records, but did not indicate wider compromise of University of Iowa Health System’s primary networks. The incident underscored operational disruptions from file encryption and necessitated forensic reviews to establish data exposure parameters prior to mandatory breach disclosures. No additional containment measures or system restoration timelines were publicly detailed beyond the completion of internal investigations and fulfillment of regulatory notification requirements.