Iowa Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Iowa occupies a distinctive position in the American cybersecurity landscape. Des Moines is the insurance capital of the United States — often called the "Hartford of the West" — with Principal Financial Group, EMC Insurance, FBL Financial Group, and dozens of other carriers headquartered in the metro area. Beyond insurance, Iowa's economy runs on agriculture, food processing, and a growing manufacturing sector that includes John Deere operations and a network of advanced manufacturers throughout the state. Each of these industries handles sensitive financial, health, and proprietary data that attackers actively seek to compromise.

The incidents documented below demonstrate that Iowa is not immune to the national epidemic of cyberattacks. From insurance company data exposures to hospital ransomware attacks and university breaches, these cases carry practical lessons for every Iowa organization. For a deeper analysis of the risks, see our assessment of the Iowa cyber threat landscape, and for regulatory obligations, consult our guide to Iowa cybersecurity compliance requirements.

Major Cyber Incidents in Iowa: A Timeline

2013 — Iowa Health System (UnityPoint Health) Phishing Attack

UnityPoint Health, one of Iowa's largest health systems with hospitals and clinics across the state, experienced the first in a series of phishing-related breaches in 2013 when employee email accounts were compromised. The incident exposed patient names, dates of birth, medical record numbers, and treatment information. While the initial breach was relatively contained, it foreshadowed more significant incidents that would follow at the same organization.

2017 — Wellmark Blue Cross Blue Shield Anthem Connection

While the massive 2015 Anthem breach — which exposed 78.8 million records — was not an Iowa-specific incident, Wellmark Blue Cross Blue Shield, Iowa's largest health insurer, was an Anthem affiliate at the time and was affected through shared network connections. The incident prompted Wellmark to accelerate its cybersecurity investments and implement enhanced monitoring across its Iowa operations. The case illustrated how affiliate and vendor relationships can expose Iowa organizations to breaches originating elsewhere.

2018 — UnityPoint Health Business Email Compromise

In a far more serious incident, UnityPoint Health disclosed in 2018 that a business email compromise attack had exposed the protected health information of approximately 1.4 million patients. Attackers gained access to employee email accounts through a sophisticated phishing campaign and used the compromised accounts to send further phishing emails internally. The breach affected patients across UnityPoint's Iowa, Illinois, and Wisconsin operations and resulted in a $2.8 million settlement with affected patients. It was the largest healthcare breach in Iowa history and one of the largest BEC-related healthcare breaches nationally.

2019 — Coalfire Penetration Testing Arrest

In September 2019, two employees of the cybersecurity firm Coalfire were arrested while conducting an authorized physical penetration test of the Dallas County Courthouse in Adel, Iowa. The testers had a contract with the Iowa Judicial Branch to test physical security, but a miscommunication between the state court administration and local authorities led to their arrest on charges of burglary. The incident, which drew national attention, was ultimately resolved when charges were reduced and the individuals entered deferred judgments. While not a cyberattack, the case highlighted communication gaps that can undermine even legitimate security testing programs.

2020 — Mercy Iowa City Phishing Breach

Mercy Iowa City reported a data breach in 2020 after an employee email account was compromised through a phishing attack. The breach exposed protected health information for approximately 60,000 patients, including names, dates of birth, Social Security numbers, driver's license numbers, medical information, and health insurance details. Mercy Iowa City offered affected individuals two years of free credit monitoring and identity protection services and implemented additional email security controls in response.

2021 — Iowa State University Credential Theft Campaign

Iowa State University in Ames disclosed that a credential theft campaign had compromised multiple faculty and staff accounts. The attackers used the stolen credentials to access university systems containing research data, student records, and in some cases export-controlled technical information related to federally funded research projects. The university mandated phishing-resistant multi-factor authentication across all accounts and conducted a security review of research computing infrastructure in response.

2022 — MercyOne Des Moines Ransomware Attack (CommonSpirit Health)

MercyOne's Des Moines-area hospitals were significantly affected by the October 2022 ransomware attack on their parent organization, CommonSpirit Health. The attack disrupted electronic health records, delayed patient care, and forced clinicians to rely on paper-based processes for weeks. MercyOne Des Moines Medical Center, one of the busiest hospitals in Iowa, experienced significant operational disruption as a result. The CommonSpirit breach ultimately affected an estimated 623,774 individuals nationwide and highlighted the systemic risk that comes with consolidation in the healthcare industry.

2023 — Grinnell Mutual Reinsurance Company Incident

Grinnell Mutual, one of the largest reinsurance companies in the United States and headquartered in Grinnell, Iowa, disclosed a cybersecurity incident in 2023 that prompted an investigation by third-party forensic specialists. The company detected unusual network activity and took systems offline as a precaution, temporarily disrupting operations for policyholders and agents. While the full details of the incident were not publicly disclosed, the case illustrated that Iowa's insurance industry is not immune to the cyber threats that have plagued the sector nationally.

Iowa's Data Breach Notification Law

Iowa's breach notification requirements are codified in Iowa Code Chapter 715C, known as the Personal Information Security Breach Protection Act. The law requires any person or business that owns or licenses computerized personal information of Iowa residents to provide notice to affected individuals following a breach. Notification must be made in the most expeditious manner possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore system integrity.

If a breach affects 500 or more Iowa residents, the organization must notify the Iowa Attorney General within five business days of providing notice to the individuals. Personal information under the statute includes an individual's name combined with Social Security numbers, driver's license numbers, financial account numbers with access credentials, or unique biometric data. Iowa's law was updated in 2022 to add biometric data to the definition of personal information. For a complete overview, see our Iowa compliance and privacy law guide.

Which Iowa Industries Are Most Targeted?

Insurance and Financial Services

Des Moines is the headquarters of Principal Financial Group, EMC Insurance Companies, FBL Financial Group, CUNA Mutual Group, and numerous other carriers and financial institutions. The insurance industry handles vast quantities of personally identifiable information, financial data, and health information that commands premium prices on dark web markets. Insurers are also high-value ransomware targets because prolonged downtime can delay claims processing and trigger regulatory scrutiny.

Healthcare

Iowa's healthcare sector, anchored by organizations like UnityPoint Health, MercyOne, and the University of Iowa Hospitals and Clinics, has been disproportionately affected by cyber incidents. The combination of valuable patient data, legacy systems, and the operational imperative to restore care as quickly as possible makes healthcare organizations particularly vulnerable to ransomware and phishing attacks.

Agriculture and Ag Technology

Iowa leads the nation in corn and hog production, and the state's agricultural sector is increasingly dependent on precision agriculture technologies — GPS-guided equipment, soil sensor networks, drone imaging, and cloud-based crop management platforms. John Deere's operations in Iowa are at the forefront of this digital transformation. Cyberattacks on agricultural technology platforms could disrupt planting or harvesting at critical times, with potential consequences for national food supply chains. Organizations in this space should consider managed IT services for manufacturing operations to secure both IT and operational technology environments.

Manufacturing

Iowa's manufacturing sector includes advanced manufacturers producing agricultural equipment, food processing machinery, wind energy components, and defense-related products. These companies increasingly rely on connected industrial control systems that expand their cyber attack surface. Small and mid-size manufacturers are particularly vulnerable because they often lack dedicated security staff. Managed IT services for small businesses can help these organizations build cybersecurity capabilities without the cost of a full in-house team.

What Iowa Businesses Must Do After a Breach

When an Iowa organization discovers a breach, it must notify affected individuals in the most expeditious manner possible under Iowa Code Chapter 715C. If the breach affects 500 or more Iowa residents, the organization must notify the Iowa Attorney General within five business days of notifying individuals. The notification must include a description of the breach, the types of information compromised, and contact information for the organization.

Beyond legal compliance, organizations should immediately contain the breach, engage forensic investigators, preserve evidence for law enforcement, and notify their cyber insurance carrier. Organizations in regulated industries like insurance and healthcare face additional notification obligations under sector-specific laws — Iowa-domiciled insurers must also report cyber incidents to the Iowa Insurance Division.

How to Protect Your Iowa Business Before an Incident

• Deploy multi-factor authentication everywhere: The most damaging Iowa breaches — including the UnityPoint Health BEC attack — were enabled by compromised credentials. MFA is the most effective single control for preventing credential-based attacks.

• Implement email security controls: Advanced email filtering, DMARC authentication, and anti-phishing protections are essential given that phishing is the dominant initial access vector in Iowa incidents.

• Segment insurance and financial data: Iowa's insurance companies should implement strict network segmentation to isolate policyholder data, claims systems, and financial records from general-purpose computing environments.

• Secure agricultural technology systems: Companies deploying precision agriculture and connected farming technologies should ensure these systems are segmented from corporate networks and protected by access controls appropriate to their risk level.

• Maintain a tested incident response plan: Every Iowa business should have a written plan that accounts for the state's Attorney General notification requirements and any industry-specific reporting obligations. Partner with a managed IT security services provider to ensure around-the-clock monitoring and rapid incident response.

Frequently Asked Questions

What was the largest data breach in Iowa history?

The 2018 UnityPoint Health business email compromise, which exposed the protected health information of approximately 1.4 million patients, is the largest data breach originating from an Iowa organization. The 2022 CommonSpirit Health ransomware attack also significantly affected Iowa through MercyOne's Des Moines-area hospitals.

Does Iowa have a data breach notification law?

Yes. Iowa Code Chapter 715C, the Personal Information Security Breach Protection Act, requires notification to affected individuals without unreasonable delay and notification to the Iowa Attorney General within five business days of notifying individuals when 500 or more residents are affected.

Which Iowa industries face the highest cyber risk?

Insurance and financial services, healthcare, agriculture and ag technology, and manufacturing face the highest cyber risk in Iowa. The concentration of insurance company headquarters in Des Moines makes the financial services sector a particularly prominent target.

Are Iowa agricultural businesses required to comply with cybersecurity regulations?

Iowa's breach notification law applies to any business that holds personal information of Iowa residents, including agricultural businesses. Additionally, ag companies that accept credit card payments must comply with PCI DSS, and those with government contracts may face federal cybersecurity requirements.

How does Iowa's breach notification law compare to other states?

Iowa's law is notable for its five-business-day Attorney General notification requirement following notification to individuals when 500 or more residents are affected. This is stricter than many states that either have no AG notification requirement or set higher thresholds. The 2022 amendment adding biometric data to the definition of personal information also brought the law in line with more progressive state statutes.

What role does cyber insurance play for Iowa businesses?

Cyber insurance is increasingly important for Iowa businesses, particularly in the insurance and healthcare sectors. Ironically, Iowa's insurance companies — which underwrite cyber policies — are themselves major consumers of cyber coverage. The market has tightened, with premiums increasing and security requirements becoming more stringent. Organizations should view cyber insurance as one component of a broader risk management strategy, not a substitute for robust security controls.