Victim Count of Nationwide Recovery Service Data Breach Grows to 516,000 Individuals
The victim count from a Nationwide Recovery Service data breach last year has been growing, with more HIPAA-covered entity clients announcing the data breach over the past weeks. Nationwide Recovery Service is a Cleveland, TN-based debt collection agency and subsidiary of Accscient LLC. The breach is now known to have affected hundreds of thousands of individuals.
Threat actors often target vendors, as an attack on a single vendor can provide the threat actor with access to the networks of their downstream clients, especially vendors that have privileged access to their clients’ systems, such as managed service providers. Vendors also hold data for large numbers of clients, as the ransomware attack on Change Healthcare last year demonstrated. That single attack gave a ransomware group access to the protected health information of an estimated 190 million individuals.
Over the past two months, the scale of the Nationwide Recovery Service data breach has become clearer. In this case, the hackers do not appear to have gained access to the networks of its clients, but did obtain a sizeable amount of data from the Nationwide Recovery Service network. The affected HIPAA-regulated entities have been reporting the data breach over the past couple of months, although the data breach occurred in the summer of 2024.
Nationwide Recovery Service explained that it experienced a security incident that caused a network outage. The incident was detected on July 11, 2024, with the threat actor accessing its network between July 5, 2024, and July 11, 2024. During that time, files containing personally identifiable and protected health information were exfiltrated from its network. The types of data stolen in the incident vary from individual to individual and from client to client, generally including names, contact information, Social Security numbers, financial account information, guarantor information, and medical information.
Nationwide Recovery Service completed the review of the affected files in early February 2025 and started notifying the affected clients. Nationwide Recovery Service has not disclosed which of its clients have been affected. No known threat actor has publicly claimed responsibility for the attack, which suggests that a ransom may have been paid. Many of the affected covered entity clients were only informed about the hack in March this year. HIPAA-covered entities have 60 days from the date of discovery of a data breach to issue notifications, which means further clients may report the breach in the next couple of weeks.
The scale of the data breach is not yet known. Nationwide Recovery Service reported the data breach to the HHS’ Office for Civil Rights on September 9, 2024, as a hacking incident with 501 affected individuals – a placeholder figure used to meet breach reporting requirements, as the investigation had not yet been completed. That total has not yet been updated. The final total will only include the clients that have instructed Nationwide Recovery Service to issue notifications. Some have chosen to report the data breach themselves, including to state Attorneys General and the HHS’ Office for Civil Rights.
Covered entity clients that have reported the breach include:
| Affected Entity | Individuals Affected |
| Nationwide Recovery Service | Placeholder estimate used: At least 501 individuals |
| Harbin Clinic | 176,149 |
| Select Medical Holdings Corporation | 119,525 |
| TRG Medical Imaging (The Radiology Group) | 70,434 |
| UChicago Medicine Medical Group (formerly Primary Healthcare Associates) | 38,656 |
| Shore Medical Center | 31,177 |
| MAK Anesthesia | 24,079 |
| Northeast Georgia Health System | 21,000 |
| Radiology Chartered | 12,656 |
| Vitruvian Health, including Hamilton Health Care System, Hamilton Emergency Medical Services, Hamilton Physician Group, Hamilton Medical Center, and Anna Shaw Children’s Institute | 8,848 |
| Rhea Medical Center | 8,309 |
| Erlanger Western Carolina Hospital (formerly Murphy Medical Center) | 3,371 |
| Swedish Edmonds Hospital (Formerly Stevens Memorial Hospital) | 886 |
| City of Chattanooga | 838 |
| Duncan Regional Hospital (DRH Health) | Unknown |
| Smile Solutions of Goodlettsville | Unknown |
| Total | 516,429 |
Many lawsuits have already been filed by individuals affected by the Nationwide Recovery Service data breach, alleging the company was negligent for failing to protect the data it stored on its network, with several of the affected clients choosing to terminate their contracts with the company.
There have been other hacking incidents at debt collection agencies that have affected thousands of individuals, or in some cases, several million individuals. A breach at Financial Business and Consumer Solutions in 2024 affected more than 4 million individuals, and a 2021 cyberattack on American Medical Collection Agency (AMCA) affected almost 24 million individuals.
