The Radiology Group, also known as TRG Medical Imagery, recently notified the Department of Health and Human Services (HHS) that they were impacted by a breach at Nationwide Recovery Services (NRS).
What happened
TRG, based out of Oregon, recently ntofied the Massauchesettes Attorney General of a data breach resulting from an incident that occured at NRS, a debt collection agency.
The Radiology Group was informed of the incident on March 31st, 2025. NRS stated that between July 5th and July 11th, 2024, an unuathorized party accessed their network and copied certain files from NRS’ systems.
Impacted information included names, addresses, Social Security numbers, dates of birth, account balances, and/or medical relation information. The information was provided by TRG as part of NRS’ payment recovery services.
NRS is generally used by organizations for the delinquent accounts of patients, as well as services related to bankruptcies, lawsuits, and patient estate matters, according to The Record. NRS works to ensure that hospitals are ultimately paid for any services performed.
After the breach was discovered in July of 2024, the company conducted an extensive review of the incident. They then began contacting impacted clients between February and March, 2025. Now, individual notification letters are being sent by the affected organizations.
Third-party data breaches show how interconnected healthcare systems are with other organizations, like administrative organizations, insurance agencies, and in this case, debt collectors. For patients, this means that a variety of companies may have access to their data. In some cases, patients may provide explicit data-sharing permission to these companies, but in other instances, they may allow healthcare companies to decide when data can be shared.
For healthcare companies, vendor breaches show how vulnerable data can be, even if the healthcare company follows all of the best practices. Because of this, it is important for every healthcare organization to discuss and review their vendor’s privacy and data-sharing policies.
Vendor breaches often involve data that is specific to the vendor. For instance, a health insurance vendor may have claims and financial information. In this case, NRS is a debt collector that mostly has information on delinquent accounts; not every patient in an impacted organization may be personally affected. Aside from that, vendor breaches generally impact multiple organizations. Lastly, these breaches may have a longer notification process, as the vendor must first notify their partner organization, who will then notify patients.
It’s currently unknown how many other organizations were impacted by the NRS breach, but multiple other healthcare companies, like Harbin Clinic, Northeast Georgia Health System, have announced that they were impacted.