Clarinda Regional Health Center in Iowa yesterday confirmed it notified 24,341 people of an October 2025 data breach that compromised the following personal info:
- Names
- Social Security numbers
- Medical info
- Health insurance info
- Financial account numbers
- Taxpayer ID numbers
- Dates of birth
- Driver’s license numbers
A ransomware group called LockBit took credit for the breach on December 11, 2025. The hospital says it discovered the breach on December 15, 2025.
Clarinda Regional Health Center has not acknowledged LockBit’s claim and Comparitech cannot independently verify it. We do not know how attackers breached CRHC’s network, if CRHC paid a ransom, or how much LockBit demanded. Comparitech contacted CRHC for comment and will update this article if it replies.
“On or around December 15, 2025, we learned that certain data within our network may have been accessed without authorization,” says CRHC’s notice to breach victims. “As a result of the investigation, Clarinda determined that certain files may have been acquired without authorization in or around October 2025.”
CRHC is offering breach victims 12 months of free credit monitoring through TransUnion. The deadline to enroll is 90 days from the date on the notice letter.
Who is LockBit?
LockBit is a Russia-based cybercriminal gang that first appeared in 2019. Its malware both locks down computers and steals data. LockBit operates a ransomware-as-a-service scheme in which affiliates pay to use LockBit’s malware and infrastructure to launch attacks and collect ransoms.
LockBit claimed responsibility for 133 ransomware attacks in 2025. Of those, 12 were confirmed by the organizations it targeted.
Clarinda wasn’t the only hospital hit by LockBit that year. In August 2025, the group said it hacked Insight Hospital & Medical Center in Illinois, which confirmed a data breach.
LockBit is gaining momentum once again in 2026. The group has taken credit for 156 more attacks this year so far, 18 of which were confirmed. Three of those hit healthcare providers:
- Mt. Spokane Pediatrics (WA) notified 32,021 people of a January 2026 data breach
- Elmwood Healthcare (RI) reported a January 2026 data breach
- Consorzio Selenia (Italy) reported a March 2026 data breach
Ransomware attacks on US healthcare
Comparitech researchers logged 142 confirmed ransomware attacks on US hospitals, clinics, and other healthcare providers in 2025. Those attacks compromised 12.3 million personal records.
In 2026 to date, we’ve recorded 16 more such attacks that compromised 66,400 records. Other recent examples include:
- Western Orthopaedics (CO) notified 113,330 people of of a September 2025 data breach claimed by PEAR
- Central Medical Services of Westrock (NY) reported a May 2026 data breach claimed by Inc
- Nottingham Village (PA) notified 7,919 people of a November 2025 data breach claimed by Qilin
- Rivertown Surgery Center (SC) notified 1,426 South Carolinians of a September 2025 data breach claimed by Qilin
- NJ Pain Care Specialists (NJ) reported a February 2026 data breach claimed by Lynx
Ransomware attacks on hospitals, clinics, and other care providers can steal data and lock down infected computer systems. They can cripple critical systems and endanger the health, privacy, and security of patients. Infected hospitals and clinics must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk. Hospitals and clinics might resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.
About Clarinda Regional Health Center
Founded in 1939, Clarinda Regional Health Center is a 47-bed hospital in southwest Iowa. CRHC also operates Villisca Family Health Center and Bedford Family Health Center.