In July 2024, a cybersecurity incident occurred involving Nationwide Recovery Services (NRS), a debt collection agency based in Cleveland, Tennessee, that provides services to Hamilton County and the City of Chattanooga.
The data breach stemmed from unauthorized access to NRS’s systems between July 5 and July 11, 2024, during which certain files and folders were copied from its network. These files included protected health information (PHI) and potentially names, addresses, Social Security numbers, dates of birth, financial account details, and medical-related information belonging to individuals whose data had been submitted by Hamilton County Emergency Medical Services (EMS).
Although Nationwide Recovery Services stated in a letter sent to the City of Chattanooga on February 7, 2025, that they had initially informed the city via email on July 14, 2024, the city claimed it had not been aware of the breach until the February letter. The failure to alert the city was deemed an “unacceptable error” by city spokesperson Eric Holl, who called for a thorough investigation. Holl also announced that the city attorney's office had written to NRS, requiring the company to notify all potentially affected individuals and offer them complimentary credit monitoring and identity protection.
Meanwhile, Hamilton County officially disclosed the breach on April 4, 2025, in accordance with federal laws regulating private health information. The County Attorney’s Office received a follow-up letter from NRS on February 24, 2025, confirming that the breach had involved unauthorized access and data theft. That same day, Hamilton County's privacy officer notified County Attorney Rheubin Taylor and Compliance Task Force Chair Commissioner David Sharpe, launching an investigation into the matter.
Holl said, “The failure of this information to reach necessary channels is an unacceptable error. We will launch a thorough investigation into how this information failed for so long to reach necessary channels, and we will share the results of that investigation with the public, while taking the necessary steps to ensure this kind of error never happens again. Today, the city attorney's office wrote Nationwide Recovery Services, compelling them to inform everyone potentially affected and to offer them complimentary credit monitoring and identity protection.”
As part of the response, Nationwide Recovery Services informed Hamilton County that the PHI of 14,084 individuals had been exposed. The county committed to sending notification letters to affected individuals once all mailing addresses were verified. It also advised individuals to monitor their credit and medical records and provided contact information for the privacy officer, Angela Duncan, for any related inquiries.
Both Chattanooga and Hamilton County expressed regret over the breach, with Chattanooga’s mayor’s office promising aggressive measures to ensure timely protection and notification for affected residents, while Hamilton County reiterated its commitment to protecting citizens’ personal information in the provision of health care services.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Network servers are the most common breach location due to hacking incidents.
Yes. Insider threats, including malicious insiders stealing data, contribute notably to breaches.
Implementing advanced email security, multifactor authentication, regular staff training focused on phishing and social engineering, and continuous risk assessments.