Victim Count of Nationwide Recovery Service Data Breach Grows to 516,000 Individuals

The victim count from a Nationwide Recovery Service data breach last year has been growing, with more HIPAA-covered entity clients announcing the data breach over the past weeks. Nationwide Recovery Service is a Cleveland, TN-based debt collection agency and subsidiary of Accscient LLC. The breach is now known to have affected hundreds of thousands of individuals.

Threat actors often target vendors, as an attack on a single vendor can provide the threat actor with access to the networks of their downstream clients, especially vendors that have privileged access to their clients’ systems, such as managed service providers. Vendors also hold data for large numbers of clients, as the ransomware attack on Change Healthcare last year demonstrated. That single attack gave a ransomware group access to the protected health information of an estimated 190 million individuals.

Over the past two months, the scale of the Nationwide Recovery Service data breach has become clearer. In this case, the hackers do not appear to have gained access to the networks of its clients, but did obtain a sizeable amount of data from the Nationwide Recovery Service network. The affected HIPAA-regulated entities have been reporting the data breach over the past couple of months, although the data breach occurred in the summer of 2024.

Nationwide Recovery Service explained that it experienced a security incident that caused a network outage. The incident was detected on July 11, 2024, with the threat actor accessing its network between July 5, 2024, and July 11, 2024. During that time, files containing personally identifiable and protected health information were exfiltrated from its network. The types of data stolen in the incident vary from individual to individual and from client to client, generally including names, contact information, Social Security numbers, financial account information, guarantor information, and medical information.

Nationwide Recovery Service completed the review of the affected files in early February 2025 and started notifying the affected clients. Nationwide Recovery Service has not disclosed which of its clients have been affected. No known threat actor has publicly claimed responsibility for the attack, which suggests that a ransom may have been paid. Many of the affected covered entity clients were only informed about the hack in March this year. HIPAA-covered entities have 60 days from the date of discovery of a data breach to issue notifications, which means further clients may report the breach in the next couple of weeks.

The scale of the data breach is not yet known. Nationwide Recovery Service reported the data breach to the HHS’ Office for Civil Rights on September 9, 2024, as a hacking incident with 501 affected individuals – a placeholder figure used to meet breach reporting requirements, as the investigation had not yet been completed. That total has not yet been updated. The final total will only include the clients that have instructed Nationwide Recovery Service to issue notifications. Some have chosen to report the data breach themselves, including to state Attorneys General and the HHS’ Office for Civil Rights.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Covered entity clients that have reported the breach include:

Affected Entity Individuals Affected
Nationwide Recovery Service Placeholder estimate used: At least 501 individuals
Harbin Clinic 176,149
Select Medical Holdings Corporation 119,525
TRG Medical Imaging (The Radiology Group) 70,434
UChicago Medicine Medical Group (formerly Primary Healthcare Associates) 38,656
Shore Medical Center 31,177
MAK Anesthesia 24,079
Northeast Georgia Health System 21,000
Radiology Chartered 12,656
Vitruvian Health, including Hamilton Health Care System, Hamilton Emergency Medical Services, Hamilton Physician Group, Hamilton Medical Center, and Anna Shaw Children’s Institute 8,848
Rhea Medical Center 8,309
Erlanger Western Carolina Hospital (formerly Murphy Medical Center) 3,371
Swedish Edmonds Hospital (Formerly Stevens Memorial Hospital) 886
City of Chattanooga 838
Duncan Regional Hospital (DRH Health) Unknown
Smile Solutions of Goodlettsville Unknown
Total 516,429

Many lawsuits have already been filed by individuals affected by the Nationwide Recovery Service data breach, alleging the company was negligent for failing to protect the data it stored on its network, with several of the affected clients choosing to terminate their contracts with the company.

There have been other hacking incidents at debt collection agencies that have affected thousands of individuals, or in some cases, several million individuals. A breach at Financial Business and Consumer Solutions in 2024 affected more than 4 million individuals, and a 2021 cyberattack on American Medical Collection Agency (AMCA) affected almost 24 million individuals.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/