Officials confirm that protected health information was accessed during a June ransomware attack on the county’s Health and Human Services systems.
Mower County officials have confirmed that a June 2025 ransomware attack led to unauthorized access and acquisition of protected health information (PHI) belonging to individuals who used services from the County’s Health and Human Services Department. While there is no current evidence of misuse, the breach has sparked public concern and skepticism toward the county’s data security practices.
County Administrator Matthew Verdick noted that it remains unclear who carried out the attack, which residents were affected, and which specific data was accessed. The county is now working with federal law enforcement as part of an ongoing investigation and plans to notify affected individuals once the review is complete.
County officials advised residents to stay alert for signs of identity theft and fraud. This includes regularly reviewing bank statements, credit reports, and health insurance explanation of benefits (EOBs) for any unusual activity. Residents are encouraged to contact their healthcare provider or insurer if they notice unfamiliar services listed on their EOBs.
Cybersecurity expert Sai Huda stated that once data has been stolen, it is often impossible to retrieve, proving the need for stronger preventative measures rather than relying on post-incident recovery. Mower County has announced that it will continue investing in cybersecurity upgrades, including evaluating new records management systems.
“It makes me question how tight security is around Mower County,” said local resident Alex Centeno, reflecting a broader community distrust in the wake of the incident.
“The privacy and security of the information we maintain is very important to us,” said County Administrator Matthew Verdick in a public statement. “We remain committed to doing everything we can to maintain the confidentiality of such information.”
The county also stated it will offer complimentary credit monitoring services to impacted individuals once the review is finalized.
PHI includes any health-related data that can identify an individual, such as diagnoses, treatments, insurance information, or Social Security numbers, making it valuable for identity theft or insurance fraud.
An EOB is a statement from your health insurance company detailing medical services billed and covered. If you see services listed that you never received, it could indicate your data has been misused.
Not always. While some organizations choose to pay, law enforcement generally advises against it. The success of recovery efforts depends on existing backups, response plans, and the nature of the attack.
Monitor your credit reports, bank activity, and insurance records. Consider placing a fraud alert or credit freeze with major credit bureaus for added protection.
Common improvements include implementing multi-factor authentication, upgrading software systems, training staff on phishing threats, and conducting regular risk assessments and audits.