25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Vitruvian Health & Erlanger Health Affected by Nationwide Recovery Service Cyberattack

Posted By on Apr 18, 2025

More healthcare providers have confirmed they were affected by the data breach at the debt collection agency Nationwide Recovery Service, including Vitruvian Health & Erlanger Health. Cyberattacks have also been reported by Howard Memorial Hospital and Boudreaux’s Specialty Compounding Pharmacy.

Vitruvian Health & Erlanger Health Affected by Nationwide Recovery Service Breach

Hamilton Health Care System, Inc., doing business as Vitruvian Health in Georgia and Tennessee, and Erlanger Health in Tennessee, have been affected by a cyberattack on its debt collection vendor, Nationwide Recovery Service. Suspicious activity was identified within the Nationwide Recovery Service network on July 11, 2024. The forensic investigation confirmed unauthorized network access between July 5, 2024, and July 11, 2024, during which time a threat actor exfiltrated sensitive data from the network. Vitruvian Health said the compromised data includes patient names, addresses, Social Security numbers, dates of birth, financial account information, and medical information. The breach was reported to the HHS’ Office for Civil Rights as affecting 88,848 patients.

Erlanger Health said 3,371 individuals have been affected by the breach, all of whom had previously received services from Erlanger Western Carolina Hospital. The compromised data was limited to names, addresses, and dates of service, with a subset of those individuals also having their Social Security numbers stolen. Vitruvian Health and Erlanger Health confirmed that there was no unauthorized access to their own networks, only the network of Nationwide Recovery Service.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services, and Nationwide Recovery Service has provided assurances that additional cybersecurity measures have been implemented to prevent similar breaches in the future. Other healthcare providers known to have been affected include Rhea Medical Center and Hamilton County in Tennessee.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Howard Memorial Hospital Patients Affected by October 2024 Security Breach

Howard Health Systems, doing business as Howard Memorial Hospital in Nashville, Arkansas, has started notifying 17,703 patients about the exposure of their personal and protected health information. The substitute breach notice does not state when its network was compromised or when the breach was detected, only that the unauthorized access occurred on October 5, 2024.

The document review was completed on January 30, 2025, when it was confirmed that the exposed information included first and last names, clinical/treatment information, medical provider names, medical record numbers, and patient account numbers. Notification letters were mailed to the affected individuals two months later, on March 31, 2025. Howard Memorial Hospital said it continually evaluates and modifies its practices and internal controls to enhance the security and privacy of information stored on its network and will continue to do so.

Boudreaux’s Specialty Compounding Pharmacy Falls Victim to Ransomware Attack

Boudreaux’s Specialty Compounding Pharmacy in Shreveport, Louisiana, was the victim of a cyberattack that caused network disruption on January 25, 2025. Third-party cybersecurity specialists assisted with the response and investigation and confirmed that files containing sensitive patient data were stolen in the cyberattack. The file review confirmed that the stolen data included names, addresses, telephone numbers, dates of birth, prescription information, health insurance information, and prescription cost information. A very limited number of individuals also had their email addresses and Social Security numbers stolen.

Additional security measures have been implemented, and data security policies and procedures are being reviewed and will be updated to better protect against further cyberattacks. The breach has been reported to the HHS’ Office for Civil Rights as involving the electronic protected health information of 6,270 individuals. Individual notification letters were mailed on March 21, 2025.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist