Six more Nationwide Recovery Service (NRS) clients confirmed that the NRS data breach resulted in the theft of sensitive data. The list of new victims includes
- Smile Solutions of Goodlettsville
- The City of Chattanooga
- Duncan Regional Hospital
- MAK Anesthesia
- Swedish Edmonds Hospital
- UCM Medical Group
The following lists the HIPAA-covered entities that have confirmed early on that they were NHS breach victims:
- Harbin Clinic
- Chartered Radiology
- Northeast Georgia Health System
- Erlanger Western Carolina Hospital
- Rhea Medical Center
- Vitruvian Health
The Vitruvian Health data breach, in turn, affected the following entities:
- Hamilton Physician Group
- Hamilton Health Care System and its affiliates
- Hamilton Medical Center
- Hamilton Emergency Medical Services
- Anna Shaw Children’s Institute
Many entities with HIPAA-certification use NRS to get funds from overdue accounts, and for concerns associated with bankruptcies, legal cases, and patient estate issues. NRS is given access to protected health information (PHI) like names, contact details, financial account data, Social Security numbers, and medical data so as to deliver those services. In certain instances, NRS was given system access by its clients.
NRS discovered suspicious activity within its computer system in July 2024 and implemented security measures to stop unauthorized access. The attack led to a system outage, but there is no confirmation if ransomware was behind it. According to the forensic investigation, hackers got access to the NRS system from July 5, 2024 to July 11, 2024 and exfiltrated files that contain sensitive data. NRS performed an analysis of the stolen files and informed the impacted clients from February to March 2025. After sending notification letters to the impacted individuals, lawsuits were filed against NRS as well as its impacted clients.
UChicago Medicine Medical Group (UCM Medical Group), previously Primary Healthcare Associates, is one of the HIPAA-covered entities that recently verified that it was impacted by the cyberattack. The medical group mentioned it received notification on April 8, 2025, about the compromise of patient data in the attack. Affected information included names, addresses, birth dates, financial account information, Social Security numbers, and medical data. UCM Medical Group stated it is sending notification letters to the impacted persons and has ended its business partnership with NRS because of the data breach.
HIPAA-covered entities that the NRS data breach has impacted include:
1. Nationwide Recovery Service – at least 501 individuals affected
2. Harbin Clinic – 176,149 individuals affected
3. Vitruvian Health, including Hamilton Emergency Medical Services, Hamilton Health Care System, Hamilton Physician Group, Anna Shaw Children’s Institute, and Hamilton Medical Center – 88,848 individuals affected
4. UChicago Medicine Medical Group (earlier known as Primary Healthcare Associates) -38,000 individuals affected
5. Northeast Georgia Health System – 21,000 individuals affected
6. Chartered Radiology – 12,656 individuals affected
7. Rhea Medical Center – 8,309 individuals affected
8. Erlanger Western Carolina Hospital (earlier known as Murphy Medical Center) – 3,193 individuals affected
9. Swedish Edmonds Hospital (Earlier known as Stevens Memorial Hospital) – 886 individuals affected
10. City of Chattanooga – 838 individuals affected
11. MAK Anesthesia Georgia – to be confirmed
12. Duncan Regional Hospital (DRH Health) -to be confirmed
13. Smile Solutions of Goodlettsville – to be confirmed
Threat actors prefer attacking vendors because it could enable them to access the systems of the vendor’s clients or steal their sensitive information. Debt collection agencies like NRS are appealing targets because they are given access to sensitive information that could be employed for identity theft and fraud. The American Medical Collection Agency cyberattack in 2018 made it possible for a threat actor to steal more than 24 million individuals’ sensitive information.
