Over 23,000 patients affected in Clarinda Regional Health Center data breach

Iowa-based healthcare provider Clarinda Regional Health Center reported that a data security incident in 2025 exposed the sensitive personal information of more than 23,000 patients.

 

Clarinda Regional Health Center is a critical access hospital in Clarinda, Iowa, providing comprehensive healthcare services, including emergency care, specialty clinics, rehabilitation, and family medicine. Known for its patient-centered approach, CRHC serves communities across southwest Iowa and northern Missouri.

 

In a data security incident notice posted on its website, CRHC said that on December 15, it identified unauthorised activity within its internal network. The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident. It also took steps to secure the affected network and notified relevant law enforcement authorities about the incident.

 

“The investigation revealed that certain files may have been acquired by an unauthorised actor in or around October 23, 2025,” CRHC said.

 

The compromised data included names, Social Security numbers, dates of birth, medical information, health insurance information, financial account numbers, driver’s license numbers and taxpayer identification numbers. In a filing with the Maine state regulator’s office, CRHC said that it has identified at least 24,341 individuals who were affected by the incident.

 

“In response to the incident, we took the steps described above and implemented measures to enhance security and minimise the risk of a similar incident occurring in the future,” CRHC added.

 

The healthcare provider has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered complimentary identity protection and credit monitoring services through TransUnion to all affected individuals.

 

The LockBit ransomware group claimed responsibility for the cyber attack on Clarinda Regional Health Center, listing the healthcare provider as a victim on its data leak site. The group said it had obtained confidential data from CRHC and threatened to release the entire database unless the healthcare company paid a ransom to regain access to its data.