Eight class-action lawsuits filed against UI Health Care, HomeCare over data breach

IOWA CITY — In less than two weeks after University of Iowa Health Care on Aug. 29 notified 211,000-some people that their personal information might have been compromised in a data-breach incident, at least eight of those affected filed separate class-action lawsuits seeking both compensatory and punitive damages.

“Although (UIHC) purportedly discovered the data breach in July of 2025, (it) failed to immediately notify and warn current and former patients, with (UIHC) waiting until August 29, 2025 to provide written notice to plaintiff and the proposed class,” according to one patient’s lawsuit filed Sept. 10 in Johnson County District Court.

“As a direct and proximate result of (UIHC’s) failures to protect current and former patients’ sensitive personal information and warn them promptly and fully about the data breach, plaintiff and the proposed class members have suffered widespread injury and damages necessitating plaintiff seeking relief on a class wide basis.”

Because the warning came from both UI Health Care and University of Iowa Community HomeCare — one of its affiliate companies that supports its mission — the eight separate lawsuits have a range of defendants, including UIHC, UI Community HomeCare, and UI Community Medical Services, which is the HomeCare’s LLC filed with the Secretary of State’s Office.

An attorney on Sept. 17 asked the court to consolidate the cases and appoint colead attorneys, given “each of the related actions arise from the same cybersecurity incident.”

“The complaints uniformly allege that on July 3, 2025, defendant’s computer systems were accessed by an unauthorized actor, who obtained or exfiltrated highly sensitive personally identifiable information and protected health information of approximately 211,000 patients,” according to the motion to consolidate.

A judge, at least initially, denied that request because “the defendants have not been served in any of the cases.”

“The motion may be refiled after the defendant has been served and can weigh in on whether the motion is resisted,” a judge wrote.

‘Waited nearly two months’

University of Iowa Health Care incorporated UI Community Medical Services LLC — which is doing business as UI Community HomeCare — three decades ago in 1995.

As a “full-service home infusion and medical equipment services provider that serves individuals living in Iowa, western Illinois, and northern Missouri,” UI Community HomeCare has its own operating and electronic health record system, separate from UI Health Care, although “their relationship has historically involved sharing some patients, employees, and data files.”

“On July 3, 2025, UI Community HomeCare had someone access its computer system without permission,” according to a notice sent to patient Roger Bradley, among the litigants suing UIHC. “UI Community HomeCare quickly took action to protect their patients and prevent further harm by shutting down their servers and bringing in cybersecurity experts to investigate.”

That investigation determined a cybercriminal had been able to “see and take copies of data in UI Community HomeCare’s computer system, which included some shared data files containing information from a group of UI Health Care patients.”

The files accessed might have included patient names, social security number, date of birth, phone number, medical record number, provider, visit type, insurance information, and date of service, according to the UIHC notice.

“Nevertheless, (UIHC) waited nearly two months to inform affected current and former patients of the unauthorized disclosure of their personal data in the data breach, waiting until August 29, 2025 … to provide written notice to plaintiff and the class,” according to Bradley’s lawsuit.

Bradley himself was required to share personal information with UIHC as a condition of receiving UI HomeCare services, even though he is “very careful about sharing his personal information” and “has never knowingly transmitted personal information over the internet or other unsecured source,” according to the suit.

“ (Bradley) stores any documents containing his personal information in a safe and secure location, and he diligently chooses unique usernames for his passwords and online accounts,” the lawsuit said. “In entrusting his personal information to (UIHC), (Bradley) believed that, as part of the payments for medical treatment and services, (UIHC) would adequately safeguard that information.”

Accusing the university of failing to “utilize reasonable data security measures,” Bradley said — had he known — he wouldn’t have entrusted his data to the university or “would have paid less for those treatments and services.”

‘Posted on the dark web’

As a result of the data breach, Bradley in his lawsuit said he’s “suffered, and imminently will suffer, injury-in-fact and damages, including the unauthorized disclosure of the personal information itself, which, on information and belief due to the nature of the cyberattack, has been or imminently will be used for criminal, fraudulent purposes and/or has been sold for such purposes and posted on the dark web for sale.”

He listed “myriad dangers” facing identity theft victims — including cybercriminals opening new financial accounts, credit cards, and loans in their name; lost health care benefits; hacked email accounts; damaged credit scores; mortgage and deed fraud; tax refund theft; social media account hacking; and the need to spend large amounts of time and money to recover their identities.

Due to the breach, Bradley has been and will be forced to spend considerable time and effort monitoring accounts and credit files, changing account passwords, verifying the data breach legitimacy, and protecting himself from identity theft.

“Furthermore, (Bradley) has been caused significant worry and feelings of anxiety and emotional distress regarding the disclosure of his personal information,” according to the lawsuit. “He fears for his personal financial security and uncertainty over the information disclosed in the data breach, and is experiencing emotional distress over the unauthorized disclosure of his personal information.”

Bradley in his lawsuit said he’s experiencing “embarrassment, sleep disruption, stress, and fear” because of the breach.

“This goes far beyond allegations of mere worry or inconvenience; it is exactly the sort of injury and harm to a data breach victim that is contemplated and addressed by law,” he said in the suit. “As a result of the data breach, (Bradley) faces a lifetime risk of identity theft, as it includes sensitive information that cannot be changed.”

And, Bradley said, the university still has his personal information “without adequate protection against known threats, exposing (him) to the prospect of additional harm.”

Although the university hasn’t responded directly to the lawsuit, it has on its website provided data on the breach and what it’s doing.

“There is no indication that the data contained in accessed files has been misused,” officials reported.

“We take patient trust and data protection very seriously, and we have taken several steps to mitigate and help prevent events like this from happening in the future,” they said. “We investigated and called law enforcement, and we continue enhanced monitoring. We are committed to reviewing and improving our systems to prevent future incidents.”

Vanessa Miller covers higher education for The Gazette.

Comments: (319) 339-3158; vanessa.miller@thegazette.com