Debt Collector Data Breach Affects 200,000

A third-party data breach has compromised personal information belonging to more than 200,000 Harbin Clinic patients.

The breach stems from a cyber-attack in July 2024 targeting Nationwide Recovery Services (NRS), a debt collection agency contracted by the Georgia-based healthcare provider. The incident came to light following unusual activity on NRS systems, which led to a network outage.

Investigations revealed that threat actors accessed the NRS network between July 5 and July 11, during which they extracted sensitive data.

In February 2025, NRS – owned by ACCSCIENT – formally notified Harbin Clinic that patient data had been impacted. A detailed list of affected individuals was shared in March.

The compromised information includes:

• Names
• Birth dates
• Social Security numbers
• Financial account details
• Guarantor data
• Addresses
• Medical information

According to Harbin Clinic, “NRS reported that it has no evidence to suggest there has been identity theft or fraud related to this incident.”

Still, the clinic has offered 24 months of free identity monitoring services to the 210,140 people affected, as disclosed to the Maine Attorney General’s Office.

Other Healthcare Providers Also Hit

The breach extends beyond Harbin Clinic. In April, additional NRS clients reported fallout from the incident.

Healthcare entities such as Erlanger Health, Hamilton Health Care System (operating as Vitruvian Health), Elbert Memorial Hospital, DRH Health, Rhea Medical Center and even the City of Chattanooga confirmed that over 110,000 people collectively were affected.

Read more on healthcare data security: Change Healthcare Hit By Cyber Extortion Again

Security experts have expressed concern about the delay in notification.

“The Harbin Clinic (NRS) incident is a textbook example of the cascading risks and delayed fallout of third-party breaches in healthcare,” said Ensar Seker, CISO at SOCRadar.

“The breach occurred in July 2024, yet patients are only being notified nearly a year later.”

Erich Kron, security awareness advocate at KnowBe4, echoed the concern.

“Unfortunately, this is a case of the true victims being left unaware and vulnerable by the organizations that were trusted to keep their data secure,” he said.

“While NRS states there is no evidence to suggest there has been identity theft or fraud […] information such as Social Security numbers, birth dates and medical information generally do not have a shelf life.”

NRS, licensed in all 50 states, manages collections for delinquent medical accounts and handles legal and estate-related cases. The breach has raised concerns about data handling by third-party vendors in the healthcare sector.

Infosecurity has contacted NRS for further comment. This article will be updated with any response.