University of Iowa Health Care reports cybercriminal incident affecting 211,000

IOWA CITY — University of Iowa Health Care and its affiliated UI Community HomeCare on Friday reported a data breach affecting about 211,000 individuals.

“After a comprehensive investigation, UI Community HomeCare learned that a cybercriminal was able to see and take copies of data files containing information from patients, including a group of UI Health Care patients,” UIHC officials announced Friday in reporting the July 3 incident.

An unknown person on that day accessed UI Community HomeCare’s computer system without permission — prompting the company to take swift action, shutting down its servers and bringing in cybersecurity experts to investigate.

UI Community HomeCare managed to “safely restore its systems within one business day.” And officials said no electronic health record systems were affected by the incident.

“While UI Community HomeCare and UI Health Care have separate operating systems, electronic health record systems, and information technology services, their relationship has historically involved sharing some patients, employees, and data files,” officials reported Friday.

Given the cybercriminal managed to see and take copies of patient data, UIHC mailed out hundreds of thousands of written notices Friday apologizing for the incident, promising to strengthen its processes, and offering help to patients with questions.

“At University of Iowa Health Care, we take patient trust and data protection very seriously,” according to the patient notice. “We deeply regret to inform you of an incident at University of Iowa Community HomeCare, an affiliate company that supports the mission of UI Health Care, involving the personal information of (the patient). Please be assured that we have taken every step necessary to address the incident.”

The breached files, according to the letter, included patient names, dates of birth, medical record numbers, providers, type of visit, insurance information, and dates of service.

“Although there is no indication at this time that your information has been misused, we encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your personal account statements and monitoring free credit reports for suspicious activity and to detect errors,” the UIHC letter said.

“UI Health Care sincerely apologizes for any inconvenience or concern caused by this incident. We are committed to working with UI Community HomeCare to strengthen its systems and business processes so we can prevent events like this from happening in the future.”

UI Community HomeCare, according to UIHC, is a “full-service home infusion and medical equipment services provider that serves individuals living in Iowa, western Illinois, and northern Missouri.”

The UI Community HomeCare nurses have expertise and certification in providing chemotherapy, pediatric care, cardiac care, bone marrow transplant care, and infusion therapy. They also teach patients to self-administer some prescribed IV medications or tube feedings.

UI Community HomeCare also provided respiratory services and medical equipment to patients at home.

Vanessa Miller covers higher education for The Gazette.

Comments: (319) 339-3158; vanessa.miller@thegazette.com