2 min read
Select Medical faces data breach linked to vendor compromise
Tshedimoso Makhene
Jun 28, 2025 10:55:06 AM

Select Medical Holdings has disclosed a data breach affecting approximately 120,000 individuals, stemming from a cyberattack on its former vendor, Nationwide Recovery Services (NRS). The breach occurred between July 5 and 11, 2024, when unauthorized actors accessed and copied sensitive patient files.
What happened
Select Medical experienced a data breach through its former vendor, Nationwide Recovery Services (NRS), a debt collection company. Between July 5 and July 11, 2024, unauthorized individuals accessed and copied patient information from NRS’s systems. The breach was discovered on July 11, prompting NRS to secure its network, investigate, and involve law enforcement. Approximately 120,000 individuals were affected. Select Medical was informed of the impacted patients in April 2025 and began notifying them by June 6. Select Medical also reported the breach to the U.S. Department of Health and Human Services as required under HIPAA regulations.
Read also: What is a supply chain attack and how can it be prevented?
Going deeper
The breach affecting Select Medical stemmed from its former vendor, Nationwide Recovery Services (NRS), a debt collection agency. NRS discovered suspicious activity on July 11, 2024, which led to a network outage. An investigation revealed that files were copied between July 5 and 11. NRS secured its systems, involved law enforcement, and completed a review of the compromised data by February 3, 2025. Select Medical received a list of affected individuals on April 9, 2025.
Exposed information may include names, dates of birth, addresses, provider names, dates of service, patient account numbers, and, in some cases, Social Security numbers. Guarantor data, including names and Social Security numbers, was also involved. Notification letters were sent to affected individuals by June 6, 2025.
Read more: Debt Collector Hack Affects Long List of Clients, Patients
In the know
A vendor compromise occurs when a third-party service provider, such as a billing agency, IT contractor, or debt collector, is breached, resulting in the unauthorized access or theft of sensitive data they manage on behalf of another organization.
Under the Health Insurance Portability and Accountability Act (HIPAA), vendors that access PHI are classified as business associates. HIPAA requires these entities to enter into business associate agreements (BAAs) with healthcare providers, which outline strict rules for handling PHI, including security measures and breach reporting protocols.
If a business associate experiences a breach, HIPAA mandates that:
- The vendor must notify the covered entity (e.g., hospital or provider),
- The covered entity is then responsible for notifying affected individuals, the U.S. Department of Health and Human Services (HHS), and sometimes the media,
- Both the covered entity and the vendor may face penalties if safeguards were inadequate.
Vendor compromises demonstrate the importance of supply chain risk management in healthcare and reinforce the need for providers to vet third-party security practices, enforce compliance, and plan for coordinated incident response.
Read also:
- The action response to a business associate's data breach
- Who is responsible for a data breach?
- HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
Who is responsible for notifying patients in the event of a business associate breach?
The covered entity is responsible for notifying affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases, the media, even if the breach occurred at a vendor.
What must be included in a breach notification?
Notifications must include a description of the breach, the types of information involved, steps individuals can take to protect themselves, what the entity is doing in response, and contact information.
Read more: Navigating HIPAA’s Breach Notification Rule
How quickly must breach notifications be sent?
Affected individuals must be notified without unreasonable delay and no later than 60 days after the breach is discovered.