Iron County Medical Center Data Breach Impacts 10,239 People

On Dec. 6, 2024, Iron County Medical Center experienced a data breach that impacted 10,239 individuals in the United States. The incident began when two employees received a suspicious email from what appeared to be a third Iron County employee, requesting payment for an invoice.

Both recipients recognized the emails as suspicious and reported them immediately. In response, Iron County Medical Center reset all active sessions for every email account in its system, activated its incident response plan and engaged legal counsel. Through counsel, the hospital also brought in a reputable third-party forensics firm to investigate.

The investigation determined that an unknown threat actor gained unauthorized access to a single email account. Evidence indicated the attacker used the account to send two emails to Iron County employees, which were quickly detected and reported.

There was no evidence that emails were removed from the system or that any information was actually misused. However, Iron County Medical Center opted to notify affected individuals out of an abundance of caution.

The types of information potentially exposed in the breach included both personally identifiable information (PII) and protected health information (PHI): name, date of birth, date of service, doctor or provider name, employee ID, medical billing information, payment for health services information, incidental health reference, medical record number, procedure information, medical history, medical treatment information and other health insurance information.

The breach was disclosed to the U.S. Department of Health and Human Services on June 18, 2025. For more details, see the official breach disclosure on the HHS website.

Iron County Medical Center's response

Iron County Medical Center acted to contain the incident by blocking unauthorized access, investigating the breach and deploying additional security measures and tools with guidance from cybersecurity experts. The hospital has strengthened its network security to help prevent future incidents.

As part of its response, Iron County Medical Center is offering one year of complimentary identity protection services to those affected. Notification letters were mailed to impacted individuals on June 30, 2025, and included details about how to enroll in these services.

For a small number of people whose mailing addresses could not be located, the hospital has set up a toll-free number, 877-841-2712, available Monday through Friday, 9 a.m. to 9 p.m. Eastern Time, excluding U.S. holidays.

Those who believe they may have been affected but have not received a letter are encouraged to call the toll-free number. Iron County Medical Center also recommends that individuals take proactive steps such as enrolling in the offered credit monitoring, placing a fraud alert or security freeze on their credit files and regularly reviewing financial account statements and credit reports for suspicious activity.

For more information and updates, individuals can visit the Iron County Medical Center data incident notice page.