Heart of America Medical Center, a rural community hospital in Rugby, North Dakota, suffered a data breach that compromised the personal and medical information of 2,136,993 individuals. The breach was reported in September 2025. The attack vector has not been publicly disclosed. The scale of the breach far exceeds the hospital's local patient population, suggesting the exposed data extended to historical records or regional data holdings beyond current active patients. The breach exposed a combination of names, home addresses, email addresses, phone numbers, Social Security numbers, and medical diagnosis information. This is among the most sensitive categories of personal data. Social Security numbers enable identity theft and fraudulent credit applications. Medical diagnosis records can be used to target individuals with health-related scams, manipulate insurance claims, or cause personal harm if disclosed. Affected individuals face compounding risks because both financial and medical fraud are possible from a single breach event. No major class-action settlement has been documented as of early 2026. The hospital notified affected individuals and reported the breach to relevant regulators, as required under federal health privacy law (HIPAA). Anyone who has received care at or affiliated with Heart of America Medical Center should monitor their credit reports, review their health insurance statements for unfamiliar claims, and consider placing a fraud alert or credit freeze with the major credit bureaus.

Regional medical centers collect patient identity, insurance, financial, and clinical data across hospital, outpatient, and administrative systems.

Heart of America Medical Center operates as an independent rural community hospital. No major organizational changes have been publicly reported beyond the 2025 breach and its aftermath.