Nationwide Recovery Service Data Breach Victim List Grows: 560,000+ Individuals Affected
The list of victims from the data breach at the debt collection agency Nationwide Recovery Service (NRS) is steadily growing, with a further six NRS clients confirming that sensitive information was stolen in the attack: The City of Chattanooga, MAK Anesthesia, Duncan Regional Hospital, Swedish Edmonds Hospital, Smile Solutions of Goodlettsville, and UCM Medical Group. Currently, at least 560,067 individuals are known to have been affected, and several affected companies have yet to confirm breach numbers, including NRS.
HIPAA-regulated entities that have previously confirmed that they were affected include Harbin Clinic, Northeast Georgia Health System, Rhea Medical Center, Chartered Radiology, Erlanger Western Carolina Hospital, and Vitruvian Health, with the latter affecting Hamilton Health Care System and its affiliates Hamilton Emergency Medical Services, Hamilton Physician Group, Hamilton Medical Center, and Anna Shaw Children’s Institute.
NRS is used by many HIPAA-regulated entities to recover funds from delinquent accounts, as well as for issues related to bankruptcies, lawsuits, and patient estate matters. NRS is provided with protected health information such as names, contact information, Social Security numbers, financial account information, and medical information in order to provide those services. In some cases, NRS was provided with access to its clients’ systems.
NRS identified suspicious activity within its computer network in July 2024 and took steps to prevent further unauthorized access. The attack resulted in a network outage, although it has not been confirmed if ransomware was involved. The forensic investigation confirmed that hackers had access to the NRS network between July 5, 2024, and July 11, 2024, during which time, files containing sensitive information were exfiltrated from its systems. NRS conducted a time-intensive review of the stolen files and notified the affected clients between February and March 2025. Individual notification letters are now being sent to the affected individuals, and lawsuits have started to be filed against NRS and its affected clients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
One of the latest healthcare providers to confirm it was affected by the cyberattack was UChicago Medicine Medical Group (UCM Medical Group), formerly Primary Healthcare Associates. The medical group said it was notified on April 8, 2025, that patient data had been compromised in the incident, including names, addresses, dates of birth, Social Security numbers, financial account details, and medical-related information. UCM Medical Group said it is sending notification letters to the affected individuals and has terminated its business relationship with NRS due to the data breach.
HIPAA-regulated entities known to have been affected by the Nationwide Recovery Service data breach include:
| HIPAA-Regulated Entity | State | Individuals Affected |
| Nationwide Recovery Service | Georgia | TBC – Reported to OCR as affecting at least 501 individuals |
| Harbin Clinic | Georgia | 176,149 |
| Select Medical Holdings Corporation | Pennsylvania | 119,525 |
| TRG Medical Imaging (The Radiology Group) | Oregon | 70,434 |
| UChicago Medicine Medical Group (formerly Primary Healthcare Associates) | Illinois | 38,656 |
| Shore Medical Center | New Jersey | 31,177 |
| Self Regional Healthcare | South carolina | 26,696 |
| MAK Anesthesia | Georgia | 24,079 |
| Northeast Georgia Health System | Georgia | 21,000 |
| Jackson Hospital and Clinic | Alabama | 14,485 |
| Radiology Chartered | Wisconsin | 12,656 |
| Vitruvian Health, including Hamilton Health Care System, Hamilton Emergency Medical Services, Hamilton Physician Group, Hamilton Medical Center, and Anna Shaw Children’s Institute | Georgia | 8,848 |
| Rhea Medical Center | Tennessee | 8,309 |
| Erlanger Western Carolina Hospital (formerly Murphy Medical Center) | Tennessee | 3,371 |
| Franklin Dermatology Group | Tennessee | 2,457 |
| Swedish Edmonds Hospital (Formerly Stevens Memorial Hospital) | Washington | 886 |
| City of Chattanooga | Tennessee | 838 |
| Doctors’ Memorial Hospital | Florida | 500 (placeholder) |
| Duncan Regional Hospital (DRH Health) | Oklahoma | TBC |
| Smile Solutions of Goodlettsville | Tennessee | TBC |
| Total | 560,067 |
Table last updated on September 12, 2025.
Threat actors often target vendors, as an attack on a vendor can allow the threat actor to gain access to the networks of its clients, or at least steal their sensitive data. Debt collection agencies are an attractive target as they are provided with sensitive data that can be used for identity theft and fraud. A cyberattack on the debt collection agency American Medical Collection Agency in 2018 allowed a threat actor to steal the sensitive data of more than 24 million individuals.
