In this episode, we unpack the 2024 cybersecurity incident that rocked the debt collection and healthcare sectors: the massive data breach at Nationwide Recovery Services (NRS), a third-party collections agency and subsidiary of ACCSCIENT. Between July 5 and July 11, 2024, threat actors gained unauthorized access to NRS’s systems, exfiltrating sensitive personal and medical data belonging to individuals whose information was handled by NRS on behalf of healthcare providers and government entities.
We’ll break down what was exposed — including names, Social Security numbers, medical records, and financial account details — and discuss why this breach is considered particularly severe. With downstream vendors like Harbin Clinic, DRH Health, and the City of Chattanooga now notifying over 110,000 individuals (and counting), the scale of the breach is significant — and growing.
Our discussion explores:
- Why NRS delayed notifying affected clients until February 2025 — 7 months after detection.
- The legal and contractual backlash, including Chattanooga’s canceled contract and threats of litigation.
- Regulatory obligations under HIPAA and GDPR, and how NRS may have fallen short.
- Lessons for healthcare providers and public entities in managing third-party risk.
- Steps individuals should take now if they were affected — and why identity protection services matter.
We also analyze how the incident has intensified scrutiny of the debt collection industry’s data security posture and why vendor oversight must be a priority in any data-driven operation.
Tune in for a comprehensive breakdown of a breach with far-reaching consequences — and what it signals for future legal and cybersecurity landscapes.
