Breaches at Serviceaide, Nationwide Recovery Services expose medical info of more than 500,000 people

The healthcare information of more than a half million people was leaked in two separate breaches impacting large hospital contractors. 

Hospitals tied to the technology provider Serviceaide and the debt collection giant Nationwide Recovery Services (NRS) announced breaches over the last week involving Social Security numbers, financial information and sensitive health insurance data. 

Serviceaide informed federal regulators at the Department of Health and Human Services that 483,126 people were affected by the theft of information during a cybersecurity incident in the fall of 2024. 

An investigation revealed that hackers had access to a database organized by Serviceaide for Catholic Health — one of the largest non-profit health providers in the U.S. — from September 19 to November 5.

While they did not find evidence that the information was copied while the hackers were inside, the company said it is “unable to rule out this type of activity.” 

Social Security numbers, dates of birth, medical record numbers, health information, prescription data, clinical information and more were potentially taken during the incident. 

“Upon learning of this incident, we secured the Catholic Health Elasticsearch database, performed an investigation, and reviewed the potentially impacted data to identify any individuals as quickly as possible,” the company warned, noting that it has begun mailing breach notification letters to victims. 

The Serviceaide incident came to light as multiple hospitals reported separate breaches involving Nationwide Recovery Services, a company hired to collect medical debt. 

For more than a month, organizations have warned current and former patients or customers that a breach at the company likely exposed sensitive information. 

Harbin Clinic in Georgia said 210,140 people are being notified of the breach after accusing Nationwide Recovery Services of not warning them. 

“It is our understanding that, in July 2024, NRS discovered suspicious activity related to its information technology systems, which resulted in a network outage,” Harbin said in notices.  

“NRS indicated that it determined through an investigation there was unauthorized access to the NRS network between July 5, 2024 and July 11, 2024, during which time certain files and folders were illegally copied from NRS’s systems by someone without authorization.” 

The information exposed to the hackers includes financial account information, medical information, Social Security numbers and more. 

Harbin Clinic said it uses NRS for debt collection services for delinquent accounts of patients as well as services related to bankruptcies, lawsuits and patient estate matters. The clinic said patients or guarantors “whose billing accounts were sent to collections or involved in other legal proceedings would be potentially impacted by this event.”

NRS warned Harbin Clinic of the incident in February but the company was not able to say who exactly was impacted. By March, NRS provided a list of Harbin patients affected. 

NRS and its parent company Accscient did not respond to requests for comment. The companies offer debt collection services to healthcare firms, banks and government entities. No cybercriminal group ever took credit for the attack. 

Multiple organizations have also recently posted notices about the NRS incident, including health system Erlanger, the city government of Chattanooga, Tennessee and Hamilton Health Care System in Texas, which said more than 88,000 people had information stolen.