Anatomy of a Healthcare Breach: The Myrtue Medical Center Incident      

Overview      

In June 2025, Myrtue Medical Center (MMC), a key provider for Harlan, Iowa, disclosed a significant cybersecurity incident affecting patients and employees. Local coverage first surfaced as MMC began responding to the attack on its network, underscoring how early ransomware claims can diverge from the actual, person‑level data at risk (Harlan Insider).      

How the Incident Unfolded      

MMC traced the breach timeline to June 13, 2025, when it detected suspicious activity and initiated an investigation (Myrtue public notice, PDF).       
By June 24, a group calling itself Worldleaks claimed responsibility and alleged the theft of 1.2 TB of data comprising 806,625 files-claims widely echoed in industry reporting (Becker’s, TEISS). Some outlets extrapolated the file count to suggest that up to ~806,000 people might be affected (HIPAA Times).      
On June 27, MMC published a notice and set up a toll‑free hotline for questions (Myrtue public notice, PDF).       
On July 21, the hospital informed the Iowa Attorney General that notification letters had begun going out-starting with employees and their dependents (AG filing, PDF).      

What Attackers Claimed vs. Reality      

The headline number-806,625 files-is attention‑grabbing, but it’s not the same as a count of affected individuals. A single person’s records can span many files: logs, attachments, duplicates, and system artifacts. Early media framing centered on the attacker’s claim of volume rather than the nature of the data itself (TEISS, HIPAA Times).      

What Myrtue Reported Was at Risk      

MMC has said the information potentially included combinations of personally identifiable information (PII), protected health information (PHI), and financial details-a familiar but serious mix in healthcare breaches (investigation summary).      

What Our Analysis Shows (databreach.com)      

Our parsing of the stolen data suggests approximate counts for key, person‑centric data elements:      

• 44,000 physical addresses       
• 9,400 phone numbers       
• 4,500 email addresses       
• 1,200 Social Security numbers      
  These counts focus on distinct, high‑value identifiers-not raw files-providing a clearer picture of real‑world risk.      

Why File Counts Mislead      

File totals are a poor proxy for impact. A database export, email PST, or log archive can inflate file numbers without increasing the number of people at risk. Measuring unique data elements (e.g., addresses and SSNs) better captures potential harm, notification scope, and remediation needs.      

Current Status      

As of late July, MMC has not provided a final count of uniquely affected individuals, noting that its forensic investigation is ongoing (Myrtue public notice, PDF). Official totals may change as validation continues.