Physicians’ Clinic of Iowa Cyberattack, What Patients Should Know
Physicians’ Clinic of Iowa (PCI), one of Iowa’s largest private multi-specialty medical practices, has been claimed as a victim by the Anubis ransomware group following a reported data exfiltration on February 26, 2026. Cybersecurity intelligence sources indicate that sensitive patient data — including personal identifiers and protected health information (PHI) — may have been compromised. As of the date of publication, PCI has not publicly confirmed the breach or disclosed the full scope of affected individuals. Attorneys are now investigating whether a class action lawsuit can be filed on behalf of potentially affected patients.
Quick Facts
| Detail | Information |
| Organization | Physicians’ Clinic of Iowa (PCI) |
| Location | Cedar Rapids, Iowa |
| Incident Type | Ransomware / Data Exfiltration |
| Threat Actor | Anubis ransomware group |
| Reported Date | February 26, 2026 |
| Data Volume Claimed | Approximately 236 GB |
| Data Exposed | Personal identifiers, protected health information (PHI) — full scope TBD |
| Number Affected | Not yet disclosed |
| Settlement Status | No settlement; class action investigation underway |
| Official PCI Statement | Not yet issued (as of March 5, 2026) |
What Happened
Emerging reports indicate that threat actor Anubis may have exfiltrated sensitive data from Physicians’ Clinic of Iowa on February 26, 2026. The incident was flagged by cybersecurity intelligence platform Ransomware.Live, which indicated that Anubis published images suggesting that personal identifiers and protected health information were compromised — though the full content and authenticity of these materials have not been independently verified.
Threat intelligence firm FalconFeeds reported that approximately 236 GB of data was claimed as compromised in the incident.
According to RedPacket Security, which monitors dark web ransomware activity, the Anubis leak page did not specify a concrete compromise date, but the post was timestamped February 26, 2026. The disclosure did not present a ransom amount or explicit demand, framing the incident primarily as a data breach announcement.
As of publication, Physicians’ Clinic of Iowa has not issued a public statement confirming or denying the attack, and has not disclosed whether patient notification letters have been sent. The number of individuals affected has not been disclosed.
About Physicians’ Clinic of Iowa
PCI operates one of Iowa’s largest private, multi-specialty practices, headquartered in Cedar Rapids. It also operates a urology office and extends services to various hospitals and urgent care facilities across Iowa. The clinic serves a broad patient population across multiple medical specialties, meaning a significant number of Iowa residents could potentially be affected if the breach is confirmed.
What Information May Have Been Exposed
The complete scope of exposed data has not been confirmed by PCI. Based on threat intelligence reports, Anubis published materials indicating that both personal identifiers and protected health information were involved. In healthcare breaches of this nature, data at risk commonly includes:
- Full names and dates of birth
- Home addresses and phone numbers
- Medical record numbers and patient IDs
- Diagnosis and treatment information
- Health insurance details and policy numbers
- Provider and visit information
- Social Security numbers (unconfirmed in this incident)
- Financial account information (unconfirmed in this incident)
Until PCI issues an official breach notification, the precise categories of exposed data remain unconfirmed. Affected individuals should watch for notification letters, which healthcare organizations are required to send under HIPAA within 60 days of discovering a breach.
How Many People Were Affected
The total number of individuals affected by the Physicians’ Clinic of Iowa cyberattack has not been publicly disclosed. PCI has not filed a breach notification with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights breach portal as of the time of publication. Given that PCI is one of Iowa’s largest multi-specialty practices serving multiple facilities statewide, the patient population at risk could be substantial, though confirmed figures are not yet available.
Company Response
As of March 5, 2026, Physicians’ Clinic of Iowa has not issued a public statement acknowledging the reported cyberattack. It is not yet known whether the clinic has:
- Engaged a third-party cybersecurity firm to investigate
- Notified law enforcement, including the FBI
- Begun notifying potentially affected patients
- Offered credit monitoring or identity protection services
This article will be updated as official information becomes available. Patients who believe they may be affected are encouraged to monitor PCI’s official website at pcofiowa.com for any breach notification notices.
Legal Action: Class Action Investigation Underway
Attorneys working with ClassAction.org are investigating whether a class action lawsuit can be filed in light of the possible data breach. They are seeking to hear from individuals who may have had their information exposed, including current and former patients.
If a class action is filed, it would likely allege that Physicians’ Clinic of Iowa failed to implement adequate cybersecurity safeguards to protect sensitive patient information, and that this failure violated HIPAA and applicable state consumer protection laws. A successful lawsuit could potentially provide affected individuals with compensation for loss of privacy, time spent addressing the breach, and out-of-pocket costs related to identity monitoring or fraud remediation.
No lawsuit has been filed as of the date of this article. No settlement exists. This is an active investigation at an early stage.
What Affected Individuals Should Do Right Now
Whether or not you have received a formal notification from PCI, if you are a current or former patient, consider taking the following steps immediately:
1. Watch your mail and email. HIPAA requires covered healthcare entities to notify affected individuals within 60 days of a confirmed breach. A formal notification letter from PCI would detail what specific data was involved in your case.
2. Monitor your credit reports. Visit AnnualCreditReport.com to pull free reports from all three major bureaus — Equifax, Experian, and TransUnion. Review them carefully for unfamiliar accounts or inquiries.
3. Consider placing a credit freeze. A credit freeze is free and prevents new credit from being opened in your name without your authorization. Contact each of the three bureaus directly to place a freeze.
4. Set up fraud alerts. You can place a one-year fraud alert with any one bureau, which will then notify the others. This alerts lenders to take extra steps to verify your identity before opening new accounts.
5. Monitor your health insurance statements. If medical records were exposed, watch your Explanation of Benefits (EOB) statements for any services you didn’t receive — a warning sign of medical identity theft.
6. Update passwords and enable multi-factor authentication. If you use an online patient portal with PCI, change your password immediately and enable two-factor authentication where available.
7. Contact an attorney. If your information was exposed, you may have legal rights. Consulting a consumer protection or data breach attorney at no cost can help you understand your options.
Broader Context: Healthcare Remains a Prime Target
The Anubis group’s claimed attack on PCI is part of a broader and escalating pattern of ransomware targeting U.S. healthcare providers. Cyberattacks on healthcare organizations — including hospital systems, clinics, and health insurers — are part of an alarmingly rising trend that has contributed to significant financial losses and disrupted patient care, causing delays in treatment, disabling hospital networks, and compromising sensitive medical data.
Of all the modes of cyberattack targeting healthcare organizations, ransomware is the most common, with phishing frequently serving as the initial entry point for such attacks.
Iowa has seen a notable rise in healthcare cybersecurity incidents in recent years. A separate 2026 breach at OpenLoop Health, a telehealth infrastructure company, allegedly exposed health records linked to more than 1.6 million patients and resulted in a class action lawsuit filed in U.S. District Court for the Southern District of Iowa.
Frequently Asked Questions
Q: Am I affected by the Physicians’ Clinic of Iowa data breach?
If you are a current or former patient of PCI — including patients seen at its Cedar Rapids facilities, urology office, or affiliated Iowa hospitals and urgent care centers — your information may potentially be at risk. PCI has not yet confirmed or quantified the scope of the breach.
Q: What data was exposed in the PCI cyberattack?
Based on threat intelligence reports, Anubis published images indicating personal identifiers and protected health information were compromised. The full and specific data types have not been confirmed by PCI.
Q: Is there a class action lawsuit or settlement?
No lawsuit has been filed and no settlement exists as of March 5, 2026. Attorneys are currently investigating whether a class action suit is viable. Affected patients can contact attorneys at ClassAction.org to participate in the investigation.
Q: How do I file a claim?
There is no active claim process at this time. If a class action is filed and a settlement is reached in the future, claim filing information will be published on an official settlement website. Check back here for updates.
Q: What should I do if I get a breach notification letter from PCI?
Read the letter carefully for the specific data categories that were exposed in your case. Follow any instructions for free credit monitoring or identity protection services that PCI may offer. Keep a copy of the letter for your records.
Q: Where can I find official updates from Physicians’ Clinic of Iowa?
Visit pcofiowa.com for any official statements or breach notifications. You may also check the HHS Office for Civil Rights Breach Portal at ocrportal.hhs.gov for any formal HIPAA breach filings.
Q: Could Physicians’ Clinic of Iowa face regulatory penalties?
If a HIPAA breach is confirmed, the clinic could face investigation by the HHS Office for Civil Rights, which has authority to impose civil monetary penalties for violations of patient data protection requirements. No regulatory action has been announced at this time.
Q: How is Anubis different from other ransomware groups?
Anubis is an active ransomware group known for data exfiltration and public “leak site” disclosures on the dark web, often used as leverage against victims. The group’s posting of PCI materials follows a pattern used across multiple industries in 2025 and 2026, though the specific tactics used to gain access to PCI’s systems have not been disclosed.
By Legal News Staff | Published: March 5, 2026
This article is for informational purposes only and does not constitute legal advice. Legal outcomes depend on specific facts and applicable law. Readers should consult a qualified attorney for advice regarding their individual circumstances.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah