Information on UI Community HomeCare data privacy event

On July 3, 2025, UI Community HomeCare had someone  access our computer system without our permission. We quickly took action to protect our patients and prevent further harm by shutting down our servers and bringing in cybersecurity experts to investigate. We were able to safely restore systems within one business day.

After further investigation, we learned that a cybercriminal was able to see and take copies of data in our computer system, which included some data files containing information for UI Community HomeCare customers and a group of UI Health Care patients. The electronic health record was not compromised, and at this time, there is no indication that the data contained in accessed files has been misused.

Once we identified the individuals and specific data involved, we began notifying those who were impacted. The data that may have been seen and taken was not the same for everyone and may have included name, date of birth, address, phone number, medical record number, provider, dates of service, health insurance information, Social Security number, and type of visit.    

We take patient trust and data protection very seriously, and we have taken several steps to mitigate and help prevent events like this from happening in the future. We investigated and called law enforcement, and we continue enhanced monitoring.  We are committed to reviewing and improving our systems to prevent future incidents.

We regret any inconvenience or concern caused by this incident. If you have any questions or concerns, please call us toll-free at 833-745-0871, Monday through Friday from 8 a.m. to 8 p.m. Central Time (excluding major U.S. holidays). We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your personal account statements and monitoring free credit reports for suspicious activity and to detect errors.

Affected individuals were mailed a notification letter from UI Health Care on August 29, 2025. 

While the information potentially obtained for each person was not identical, the data elements involved potentially include: name, date of birth, medical record number, provider, type of visit, insurance information, and date of service. 

UI Community HomeCare quickly took action to protect patients and prevent further harm by shutting down their servers and bringing in cybersecurity experts to investigate. Once UI Health Care learned that the cybercriminal was able to see and take copies of data files containing information from a group of UI Health Care patients, it took immediate steps to notify affected individuals. 

UI Health Care’s electronic health record system and information technology services are separate from UI Community HomeCare and were not affected. UI Community HomeCare has contained the incident affecting its systems and continues enhanced monitoring. 

UI Health Care and UI Community HomeCare will continue to work together to strengthen its systems to protect against future threats. UI Community HomeCare took immediate steps following the incident, including implementing new monitoring tools, updating firmware, changing passwords, and removing files from impacted hardware. 

While we have taken steps to mitigate and help prevent events like this from happening, cyberattacks continue to be prevalent, so we will remain vigilant and strive for continuous improvement. 

There are approximately 211,000 total affected individuals. 

UI Community HomeCare is a full-service home infusion and medical equipment services provider that serves individuals living in Iowa, western Illinois, and northern Missouri. While UI Community HomeCare and UI Health Care have separate operating systems, electronic health record systems, and information technology services, their relationship has historically involved sharing some patients, employees, and data files.    

We apologize for any disruption this may have caused. An individual’s personal health information is still covered by HIPAA for 50 years after death so we are required to notify the next of kin in this situation.  

At this time, UI Community HomeCare has no indication that your/your loved one’s information was misused. 

There is no indication that your or your loved one’s information has been misused, so UI Community HomeCare is not offering credit monitoring services at this time. 

Although there is no indication at this time that your information has been misused, we encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your personal account statements and monitoring free credit reports for suspicious activity and to detect errors. The letter you received should have more information on steps you can take to protect your personal information. More information is also available below this FAQ and at uihc.org. 

Your information was likely included in a data file that was shared with UI Community HomeCare, which is an affiliate of University of Iowa Health Care. While UI Community Home Care and UI Health Care have separate operating systems, electronic health record systems, and information technology services, their relationship has historically involved sharing patients, employees, and data files. Files containing UI Health Care patient data were stored on UI Community HomeCare computer system and compromised during the data incident.  

Yes, the letter is an official notification informing you of the incident and providing resources to help protect your personal information. We worked with a third-party to help with distributing the letters which is why they are postmarked from outside of Iowa.

We have no indication that Social Security numbers were included in the files that were compromised. 

If you did not receive a letter, it is likely that your information was not affected by the incident.