Information on UI Community HomeCare data privacy event

  1. Home
  2. Information on UI Community HomeCare data privacy event

Public Notice

 

This notice is about a data security event at University of Iowa Community HomeCare, an affiliate company that supports the mission of University of Iowa Health Care.

UI Community HomeCare is a full-service home infusion and medical equipment services provider that serves individuals living in Iowa, western Illinois, and northern Missouri. While UI Community Home Care and UI Health Care have separate operating systems, electronic health record systems, and information technology services, their relationship has historically involved sharing some patients, employees, and data files.

We are posting this notice to provide individuals with information about the data security event and to share resources available to people whose personal data was potentially impacted. UI Community HomeCare and UI Health Care mailed letters to all affected individuals on Aug. 29, 2025.

What Happened

On July 3, 2025, UI Community HomeCare had someone access our computer system without our permission. We quickly took action to protect our patients and prevent further harm by shutting down our servers and bringing in cybersecurity experts to investigate. We were able to safely restore systems within one business day.

After further investigation, we learned that a cybercriminal was able to see and take copies of data in our computer system, which included some data files containing information for UI Community HomeCare customers and a group of UI Health Care patients. The electronic health record was not compromised, and at this time, there is no indication that the data contained in accessed files has been misused.

What Information Was Involved

Once we identified the individuals and specific data involved, we began notifying those who were impacted. The data that may have been seen and taken was not the same for everyone and may have included name, date of birth, address, phone number, medical record number, provider, dates of service, health insurance information, Social Security number, and type of visit.

What We Are Doing

We take patient trust and data protection very seriously, and we have taken several steps to mitigate and help prevent events like this from happening in the future. We investigated and called law enforcement, and we continue enhanced monitoring. We are committed to reviewing and improving our systems to prevent future incidents.

We regret any inconvenience or concern caused by this incident. If you have any questions or concerns, please call us toll-free at 833-745-0871, Monday through Friday from 8 am to 8 pm Central Time (excluding major U.S. holidays). We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your personal account statements and monitoring free credit reports for suspicious activity and to detect errors.

Frequently Asked Questions (FAQ)

 

1.) What happened?

On July 3, 2025, UI Community HomeCare had someone access our computer system without our permission. We quickly took action to protect our patients and prevent further harm by shutting down our servers and bringing in cybersecurity experts to investigate. We were able to safely restore systems within one business day.

After further investigation, we learned that a cybercriminal was able to see and take copies of data in UI Community HomeCare’s computer system, which included some data files containing patient information.

2.) Am I affected?

Affected individuals were mailed a notification letter from UI Community HomeCare on August 29, 2025.

3.) What specific information about me was stored on UI Community HomeCare’s servers?

While the information potentially obtained for each person was not identical, the data elements involved potentially include: an individual’s name, date of birth, medical record number, provider, type of visit, insurance information, and date of service.

4.) What did you do when the incident occurred?

UI Community HomeCare quickly took action to protect patients and prevent further harm by shutting down servers and bringing in cybersecurity experts to investigate. Our primary focus was to ensure that patient care could continue as quickly as possible and to protect the privacy of the patients whose information was stored on the impacted servers.

5.) Has the incident been contained?

At this time, the incident has been contained and monitoring will continue.

6.) What are you doing so this does not happen again?

We are taking this very seriously and we are committed to making continued improvements to strengthen our systems against future incidents. We have taken immediate steps following the incident, including implementing new monitoring tools, updating firmware, changing passwords, and removing files from impacted hardware.

While we have taken steps to mitigate and help prevent events like this from happening, cyberattacks continue to be prevalent, so we will remain vigilant and strive for continuous improvement.

7.) Were there other individuals affected by this incident, or am I the only one?

There are approximately 211,000 total affected individuals.

8.) What is UI Community HomeCare’s affiliation with UI Health Care?

UI Community HomeCare is a full-service home infusion and medical equipment services provider that serves individuals living in Iowa, western Illinois, and northern Missouri. While UI Community Home Care and UI Health Care have separate operating systems, electronic health record systems, and information technology services, their relationship has historically involved sharing some patients, employees, and data files.

9.) Why are you contacting me about this if my loved one is no longer alive?

We apologize for any disruption this may have caused. An individual’s personal health information is still covered by HIPAA for 50 years after death so we are required to notify the next of kin in this situation.

10.) Do I need to worry about identity theft?

At this time, UI Community HomeCare has no indication that your/your loved one’s information was misused.

11.) Will you be providing credit monitoring services?

There is no indication that your or your loved one’s information has been misused, so UI Community HomeCare is not offering credit monitoring services at this time.

12.) What can I do to protect against identity theft?

Although there is no indication at this time that your information has been misused, we encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your personal account statements and monitoring free credit reports for suspicious activity and to detect errors. The letter you received should have more information on steps you can take to protect your personal information. More information is also available below this FAQ and at uicommunityhomecare.org.

13.) I haven’t used UI Community HomeCare services recently. Why was my information still on file?

UI Community HomeCare’s electronic health record was not compromised through this incident. Your information was in a file that was retained on UI Community HomeCare’s computer system.

14.) Why did UI Community HomeCare have my information if I never used their services?

UI Community HomeCare has service agreements in place to provide UI Health Care patients home care supplies and medical equipment during visits. It’s possible your information may have been shared under this agreement—even if you did not directly engage with UI Community HomeCare.

15.) Is the letter I received about the security breach legitimate?

Yes, the letter is an official notification informing you of the incident and provide resources to help protect your personal information.

16.) I heard about the cybersecurity incident but did not receive a notification letter. Why?

If you did not receive a letter, it is likely that your information was not affected by the incident.

Steps You Can Take to Help Protect Personal Information

 

Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.

Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.

As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:

  • Full name (including middle initial as well as Jr., Sr., II, III, etc.).
  • Social Security number;
  • Date of birth;
  • Addresses for the prior two to five years;
  • Proof of current address, such as a current utility bill or telephone bill;
  • A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
  • A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.

Should you wish to place a credit freeze, please contact the three major credit reporting bureaus listed below:

Equifax
https://www.equifax.com/personal/credit-report-services/ 1-888-298-0045
Equifax Fraud Alert
P.O. Box 105069
Atlanta, GA 30348-5069
Equifax Credit Freeze, P.O. Box 105788, Atlanta, GA 30348-5788

Experian
https://www.experian.com/help/ 1-888-397-3742
Experian Fraud Alert
P.O. Box 9554
Allen, TX 75013
Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013

TransUnion
https://www.transunion.com/credit-help 1-800-916-8800
TransUnion Fraud Alert
P.O. Box 2000
Chester, PA 19016
TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094

Additional Information

You can find additional information regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or the state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and the state Attorney General. This notice has not been delayed by law enforcement.