Hamilton County (TN) & Bigfork Valley Hospital (MN) Announce Data Breaches
Hamilton County in Tennessee has confirmed that a data breach at a business associate involved the protected health information of 14,081 individuals. Bigfork Valley Hospital in Minnesota has confirmed that up to 8,496 individuals were affected by a November 2024 email account breach.
Hamilton County, Tennessee
Officials at Hamilton County in Tennessee have confirmed that the protected health information of 14,081 individuals has been compromised in a security incident at one of its business associates, the debt collection agency Nationwide Recovery Service. According to the notification letters, Nationwide Recovery Service notified the Hamilton County Government on July 14, 2024, about a cybersecurity incident that was ongoing at the time, and said further information would be provided as the investigation progressed. Seven months later, on February 24, 2025, the Hamilton County Attorney’s Office received a letter providing an update on the incident, confirming that there had been unauthorized access to the Nationwide Recovery Service network between July 5, 2024, and July 11, 2024, and during that time, files were copied from its network.
The review confirmed that the stolen data included names, addresses, dates of birth, Social Security numbers, financial account information, medical information, and other types of information provided by Hamilton County related to the collection of funds for delinquent accounts.
Questions have been raised about the notification process. Hamilton County Mayor Weston Wamp said the initial “notice” received from Nationwide Recovery Service in July 2024 was not a notification about a data breach, as it just informed of suspicious activity that had been identified. A data breach was only confirmed in February when the Attorney’s Office received the official notification letter.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mayor Wamp also said the first time he was made aware of the data breach was on March 11, 2025, 15 days after the County Attorney’s Office received the data breach notification, and 6 days after a meeting with the law firm Baker Donelson about HIPAA compliance at the county, stating that the breach was known prior to that meeting but was not disclosed to anyone with oversight of the day-to-day operations of the county government.
“As the Chief Executive Officer of Hamilton County government, I am responsible for ensuring our government remains in compliance with all applicable laws and regulations. However, that responsibility depends on timely communication with my office,” said Mayor Wamp. “When critical information is withheld or delayed, it undermines our ability to act swiftly and puts the county at legal and reputational risk.”
Hamilton County has confirmed that individual notification letters will be mailed within the 60 days allowed by HIPAA, and discussions are ongoing about the steps that can be taken to ensure any future HIPAA incidents are communicated to all appropriate individuals in a timely manner.
Bigfork Valley Hospital, Minnesota
Bigfork Valley Hospital in Minnesota has recently announced a data security incident that was detected on or around November 26, 2025, when suspicious activity was identified in an employee email account. The account was immediately secured, and digital forensics specialists were engaged to investigate the activity and confirmed there had been unauthorized access to the account. On or around January 28, 2025, Bigfork Valley Hospital learned that patient information was stored in emails and attachments and could potentially have been acquired by an unauthorized third party in the incident, although no evidence has been found to indicate any misuse of the exposed information.
The review of the exposed data has recently been completed and it has been confirmed that the following types of information were exposed: names, phone numbers, dates of birth, Social Security numbers, financial account numbers, driver’s license or state identification numbers, patient account numbers, Medicare or Medicaid numbers, health insurance member numbers, diagnosis information, treatment/procedure information and cost, medical histories/allergies, prescription drug information, lab test results/medical images, admission/treatment dates, treatment locations, and healthcare provider names.
Notification letters were mailed to the 8,496 affected individuals on March 25, 2025.
