2 min read

Vendor breach at nationwide recovery services hits over 210K patients

Vendor breach at nationwide recovery services hits over 210K patients

Harbin Clinic, LLC, a large multi-specialty physician group based in Georgia, has notified over 210,000 individuals that their personal and protected health information (PHI) was compromised due to a data breach at a third-party debt collection vendor, Nationwide Recovery Services, Inc. (NRS). The incident involved unauthorized access and data exfiltration from NRS's systems.

 

What happened

According to a notice from Harbin Clinic and reports to state Attorneys General, NRS discovered suspicious activity related to its IT systems in July 2024, which resulted in a network outage. An NRS investigation determined that an unauthorized party had gained access to its network between July 5, 2024, and July 11, 2024. During this time, certain files and folders were illegally copied from NRS’s systems.

Harbin Clinic, which used NRS for delinquent accounts and other legal/estate matters, was not informed that its patient data might have been impacted until February 2025. In March 2025, NRS provided Harbin Clinic with a list of individuals whose information may have been involved.

 

What's new

Harbin Clinic has confirmed that 210,140 individuals were affected nationwide, including 14 residents of Maine (13 patients and 1 guarantor). The compromised information, according to NRS's investigation, varies by individual but may include:

  • Full names
  • Addresses
  • Social Security numbers
  • Dates of birth
  • Financial account information
  • Guarantor information
  • Medical-related information

In response, Harbin Clinic immediately blocked NRS’s access to its systems and conducted its own internal review. The clinic is offering affected individuals a complimentary 24-month membership to Kroll Identity Monitoring services. A dedicated toll-free call center (866) 408-3081 has been established. Several law firms, including Edelson Lechtzin LLP, Federman & Sherwood, Strauss Borrelli PLLC, and Lynch Carpenter LLP, have announced investigations into the breach for potential class action lawsuits.

 

The intrigue

This incident again shows the severe risks posed by vulnerabilities within the supply chain of healthcare data management. The lengthy period between the actual breach at NRS and the notification to Harbin Clinic, and subsequently to patients, reveals gaps in vendor communication and oversight. This is not an isolated incident for NRS, as other healthcare providers have also recently reported breaches stemming from the same July 2024 event at this vendor.

 

What they're saying

Harbin Clinic stated, "We apologize for any concern or inconvenience this may have caused and remain committed to protecting the confidentiality and security of our patients’ information and to working closely with our vendors to ensure they uphold our high standards for privacy protection." They also noted, "Importantly, NRS reported that it has no evidence to suggest there has been identity theft or fraud related to this incident."

Law firms investigating the breach are focusing on the potential negligence by both NRS in securing data and Harbin Clinic in its vendor oversight. They emphasize the potential for identity theft and fraud faced by affected individuals.

 

Looking ahead

Affected individuals are strongly advised to enroll in the offered Kroll Identity Monitoring services and remain vigilant by reviewing their financial accounts, credit reports, and Explanation of Benefits (EOBs).

This incident will likely lead to increased scrutiny of NRS's security practices and the contractual obligations between healthcare providers and their business associates regarding breach notification timelines. For Harbin Clinic, questions may arise about their vendor management program.

 

FAQs

What is a third-party vendor data breach (or Business Associate breach)?

This occurs when a vendor or contractor (a "Business Associate" under HIPAA) that handles Protected Health Information (PHI) on behalf of a healthcare provider (a "Covered Entity") experiences a data security incident. The Covered Entity is ultimately responsible for safeguarding its patients' PHI, including ensuring its vendors do so.

 

Why was Harbin Clinic affected if its own systems weren't breached?

Harbin Clinic used Nationwide Recovery Services (NRS) for services like debt collection. As part of these services, Harbin Clinic shared patient and guarantor information with NRS. The breach occurred within NRS's systems, not Harbin Clinic's, but because Harbin Clinic's patient data was involved, they are responsible for notifying affected individuals.

 

Why the delay in notification from Harbin Clinic?

According to Harbin Clinic, the delay was due to NRS. NRS discovered its own breach in July 2024 but did not inform Harbin Clinic that its specific patient data was potentially impacted until February 2025, and only provided a list of affected individuals in March 2025. Harbin Clinic then needed time to prepare and begin its own notification process in May 2025.