Data Breach Impacting 200,000 Harbin Clinic Patients Identified in Debt Collection Operations

A recent data breach has compromised the personal information of over 200,000 patients associated with Harbin Clinic, due to a cyber-attack on Nationwide Recovery Services (NRS), a debt collection agency employed by the healthcare provider. The breach occurred between July 5 and July 11, 2024, as threat actors infiltrated NRS systems, leading to a network disruption identified by unusual activities.

The ramifications of this breach became evident in February 2025 when NRS, a subsidiary of ACCSCIENT, officially notified Harbin Clinic of the data compromise. A detailed list of affected individuals was subsequently shared in March 2025, disclosing sensitive information that includes:

– Names
– Birth dates
– Social Security numbers
– Financial account details
– Guarantor data
– Addresses
– Medical information

Despite these serious breaches of data security, Harbin Clinic has communicated that NRS found no evidence indicating that identity theft or fraud has arisen from the incident. Nevertheless, as a precautionary measure, the clinic has offered 24 months of free identity monitoring services to the affected individuals, as noted in correspondence with the Maine Attorney General’s Office.

The impact of the breach is not limited to Harbin Clinic. In April, multiple clients of NRS reported similar breaches, which collectively affected over 110,000 individuals from healthcare establishments, including Erlanger Health, Hamilton Health Care System (operating as Vitruvian Health), and Rhea Medical Center.

Concerns surrounding the delay in notification have surfaced among security experts. Ensar Seker, Chief Information Security Officer at SOCRadar, remarked, “The Harbin Clinic (NRS) incident exemplifies the cascading risks and delayed consequences of third-party breaches in healthcare.” He emphasized the troubling timeline whereby the breach occurred in July 2024, yet notifications reached patients nearly a year later.

Erich Kron, a security awareness advocate, shared similar sentiments, stating, “This incident leaves the true victims unaware and susceptible, as organizations entrusted with their data security failed to act promptly. Sensitive information such as Social Security numbers, birth dates, and medical data tend to carry long-term implications.”

NRS, licensed to operate in all 50 states, manages delinquent medical accounts and related legal matters. This breach raises pressing concerns regarding the data management practices of third-party vendors within the healthcare industry. As this situation develops, further statements from NRS are anticipated, and updates will be provided as they arise.