Over 200,000 Harbin Clinic patients were affected by a third-party data breach traced to a debt collector.
Harbin Clinic, a Georgia-based healthcare provider, is notifying more than 200,000 patients that their personal data was compromised in a July 2024 cyberattack on Nationwide Recovery Services (NRS), a third-party debt collection agency. NRS detected suspicious activity on its network that caused an outage, later confirming that attackers had accessed its systems between July 5 and July 11.
The breach wasn’t initially disclosed to Harbin Clinic until February 2025, when NRS informed them that patient data was involved. A formal list of affected individuals followed in March.
The stolen data includes a wide range of sensitive information: full names, addresses, birth dates, Social Security numbers, medical and guarantor details, and financial account information. Harbin Clinic has reported the breach to the Maine Attorney General’s Office, noting that 210,140 individuals were affected. Impacted patients are being offered 24 months of complimentary identity monitoring services.
NRS, which holds collection licenses in all 50 states, has acknowledged the breach but has not specified how many total individuals were impacted or which clients were affected. However, additional disclosures from other NRS clients such as Hamilton Health Care System, Erlanger Health, and the City of Chattanooga, suggest that over 110,000 additional people were affected across Georgia and Tennessee alone.
No ransomware group has claimed responsibility for the breach, and there is currently no evidence that the stolen data has been used for identity theft or fraud.
In its notice to patients, Harbin Clinic stated that NRS “has no evidence to suggest there has been identity theft or fraud related to this incident.” Despite the scale of the breach, both organizations appear to be treating it as a data exposure rather than an active exploitation case, at least for now.
Although Harbin Clinic was not directly breached, the exposure of patient data through NRS shows how security gaps in partner systems can impact healthcare organizations. Patients affected by such breaches often receive identity monitoring services, but are given limited information about how their data will be protected in the future. With regulatory scrutiny around healthcare data privacy increasing, the security practices of third-party vendors remain a major concern.
Third-party vendors are not always required to notify clients immediately, especially if an investigation is ongoing. Delays often occur while assessing the scope and confirming impacted data.
Patients should enroll in the offered identity monitoring services, review their credit reports regularly, and watch for signs of suspicious activity, such as unexpected bills or account changes.
Liability in third-party breaches can be complex. While Harbin Clinic wasn't directly breached, patients may seek legal advice if they believe the clinic failed to vet vendors adequately or respond appropriately.
They are increasingly frequent, as many healthcare providers outsource billing, collections, and IT services. These third parties often hold large volumes of sensitive data but may lack strong cybersecurity controls.
Organizations can conduct regular vendor risk assessments, require stricter data handling policies in contracts, and monitor compliance with cybersecurity standards like HITRUST or SOC 2.