In July 2024, Nationwide Recovery Services, a third-party vendor previously contracted by UChicago Medicine Medical Group, experienced a cybersecurity incident that resulted in unauthorized access to certain files and folders.
What happened
The breach occurred between July 5 and July 11, 2024, and potentially exposed sensitive personal information, including individuals' names, addresses, dates of birth, Social Security numbers, financial account details, and medical-related information. UChicago Medicine Medical Group was formally notified of the breach on April 8, 2025.
Although there is currently no evidence that the compromised data has been misused, the medical group began notifying affected individuals, directly by mail where possible and via public notices otherwise. Following a completed review of the incident and subsequent cybersecurity enhancements by Nationwide Recovery Services, UChicago Medicine Medical Group decided to terminate its relationship with the vendor in response to the breach.
What was said
According to UChicago Medicine’s Notice of Security Incident, “From July 5, 2024, to July 11, 2024, an unauthorized individual gained access to NRS systems and obtained information from certain files and folders. Upon learning of this, NRS took steps to terminate the unauthorized access and make enhancements to further secure their systems. NRS recently completed a review and analysis of the potential impacts and determined that personal information may have been involved.”
Why it matters
Unlike high-profile intrusions directly aimed at major health systems, vendor breaches often fly under the radar until months later, as seen here when UChicago only learned of the incident on April 8, 2025, giving criminals a long window to mine stolen data. Exposed names, Social Security numbers and medical details put thousands of patients at risk of identity theft or fraud, mirroring the stakes in the recent Change Healthcare ransomware attack and the RansomHub incident at Planned Parenthood.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What exactly is a healthcare data breach?
A data breach happens when someone gains unauthorized access to protected health information (PHI). That can mean names, Social Security numbers, medical records or billing details leaving trusted systems without permission.
Why do attackers target healthcare organizations?
Health records hold a wealth of personal and financial details. Stolen PHI often sells for higher value on black‑market forums than credit‑card data, making hospitals and clinics prime targets.
Which types of patient information are most at risk?
Names and dates of birth top the list, but Social Security numbers, insurance IDs, medical diagnoses, treatment notes and billing records all carry serious identity‑theft or fraud potential if exposed.
What laws require healthcare entities to report breaches?
Under HIPAA’s Breach Notification Rule, covered entities and business associates must notify affected individuals, the HHS Office for Civil Rights and, in large breaches, the media—normally within 60 days of discovery.
Kirsten Peremore
