Corporate Misconduct Accountability Project
DRH Health / Nationwide Recovery Services, Inc. · Data Breach Notification
DRH Health Patients Exposed After Nine Month Vendor Data Breach
Nationwide Recovery Services allowed an unknown actor to copy patient files for months before notifying DRH Health, leaving thousands of patients vulnerable to identity theft and medical fraud.
HIGH SEVERITY
TL;DR
Between May and July 2024, an unknown hacker spent nine weeks copying patient files from Nationwide Recovery Services, a debt collector hired by DRH Health. NRS detected the breach on July 11, 2024, but did not inform DRH until February 14, 2025—seven months later. DRH then spent another six weeks identifying victims before finally mailing notifications in late March 2025, almost a year after the breach began.
If you received care at DRH Health and had bills sent to collections, your personal information may have been exposed for nearly a year before you were told.
9 weeks
Duration unknown actor copied patient files
7 months
Delay between breach detection and DRH notification
11 months
Total time from first breach to patient notification
The Allegations: A Breakdown
Core Allegations
What they did · 5 points
| 01 | An unknown hacker gained unauthorized access to Nationwide Recovery Services network systems and spent nine weeks copying patient files stored on at least one system between May 5, 2024 and July 11, 2024. | high |
| 02 | NRS detected the cybersecurity incident on July 11, 2024 but did not inform DRH Health of the extent of the breach impact until February 14, 2025, a delay of more than seven months. | high |
| 03 | DRH Health then spent an additional six weeks conducting an extensive review to remove duplicated individuals and identify missing address information before completing notifications on March 28, 2025. | medium |
| 04 | The investigation could not conclusively determine what specific personal information was involved for each individual patient, meaning victims have no certainty about exactly what data was stolen. | medium |
| 05 | DRH Health had entrusted NRS with various services including payment collection, placing sensitive patient data outside the hospital’s direct security controls and into a vendor system that proved vulnerable. | medium |
Exploiting Delay
Strategic silence · 4 points
| 01 | Between the first unauthorized file copy on May 5, 2024 and final patient notification in late March 2025, nearly eleven months elapsed, providing ample time for stolen data to circulate on dark web marketplaces. | high |
| 02 | NRS waited seven months after detecting the breach before informing DRH Health that patient information might be compromised, leaving the hospital unable to warn its own patients during the critical early window. | high |
| 03 | DRH Health took another six weeks to review and deduplicate records after being notified, further extending the gap between exposure and public disclosure. | medium |
| 04 | The notification letter provides no explanation for why NRS took seven months to inform DRH, and no accountability measures or penalties are mentioned for this prolonged silence. | high |
Profit Over People
Cost-cutting consequences · 4 points
| 01 | DRH Health outsourced debt collection to a third party vendor to reduce administrative costs and accelerate revenue cycles, but this cost-cutting decision placed patient data outside direct hospital security oversight. | high |
| 02 | The breach letter acknowledges privacy and security are among DRH’s highest priorities, yet the hospital chose a vendor whose cybersecurity proved insufficient to protect patient information for even nine weeks. | medium |
| 03 | NRS’s investigation could not conclusively determine what specific information was stolen for each patient, suggesting inadequate logging and monitoring systems that would have been necessary to track exactly what the hacker accessed. | medium |
| 04 | DRH offers only single bureau credit monitoring rather than comprehensive three-bureau monitoring, minimizing the company’s mitigation costs while leaving patients with incomplete protection. | medium |
Community Impact
Who bears the burden · 5 points
| 01 | Patients must now enroll themselves in credit monitoring services, requiring an internet connection, email account, and time to complete activation processes that shift post-breach labor onto victims. | medium |
| 02 | The letter urges patients to remain vigilant and monitor their own account statements and credit reports, effectively outsourcing ongoing security work to the same people whose data was compromised. | medium |
| 03 | Affected individuals must contact financial institutions and credit bureaus themselves, potentially taking time off work, arranging childcare, and paying for certified mail or notary fees to protect their own interests. | medium |
| 04 | Patients received form letters almost a year after their data was first copied, forcing them to grapple with identity theft fears on top of existing medical bills and financial stress. | high |
| 05 | For rural patients with limited broadband access, enrolling in online monitoring services becomes yet another hurdle, as the enrollment requires internet connection and may not be available to minors under 18. | medium |
Regulatory Failures
Where oversight disappeared · 4 points
| 01 | The notification states DRH is informing the Department of Health and Human Services, but specifies no fines, penalties, or binding commitments to prevent future breaches. | high |
| 02 | Federal privacy laws impose strict obligations on hospitals, but enforcement weakens once patient data leaves the hospital and enters third party vendor systems like debt collectors. | medium |
| 03 | The seven month notification delay by NRS shows no immediate regulatory consequence, demonstrating how compliance relies on voluntary self-reporting rather than mandatory real-time disclosure. | high |
| 04 | DRH’s letter fulfills statutory notice obligations by listing credit bureau contacts and Attorney General information, but this legal minimalism meets only the form of privacy law while hollowing out its protective purpose. | medium |
The PR Machine
Corporate spin in action · 5 points
| 01 | The letter repeatedly states DRH is not aware of any actual or attempted misuse of patient information, framing a confirmed nine-week data theft as merely a hypothetical risk. | medium |
| 02 | DRH describes the notification as being provided out of an abundance of caution, minimizing the seriousness of an incident where an unknown actor spent weeks copying patient files. | medium |
| 03 | The company frames its credit monitoring offer as added precaution and proactive fraud assistance, recasting a legal obligation as corporate generosity. | low |
| 04 | DRH apologizes for any inconvenience this incident may cause, using passive language that reduces a year-long security failure to a minor disruption. | low |
| 05 | The notification includes placeholder text like activation code and date fields, revealing this is a mass-produced template letter rather than individualized communication with affected patients. | low |
Corporate Accountability Failures
No consequences · 4 points
| 01 | The breach notification names no executives at either DRH Health or Nationwide Recovery Services, leaving no individual accountable for the security failure or seven-month notification delay. | high |
| 02 | DRH provides no information about what security improvements it has required from NRS or whether the hospital continues to use the vendor for debt collection services. | medium |
| 03 | The letter mentions no financial penalties, executive compensation clawbacks, or binding commitments to overhaul data security architecture at either organization. | high |
| 04 | DRH promises cooperation with federal regulators but offers no timeline for when any investigation might conclude or what enforcement actions might follow. | medium |
Public Health and Safety
Medical identity theft risks · 4 points
| 01 | Medical identity theft can corrupt patient treatment records, potentially causing doctors to make decisions based on fraudulent information about allergies, medications, or medical history. | high |
| 02 | Victims of medical identity theft may face delays in receiving lifesaving procedures while they work to clear fraudulent claims and restore accurate medical records. | high |
| 03 | Stolen patient information can be used to obtain prescription medications, medical devices, or healthcare services that then appear on the victim’s insurance records and medical files. | medium |
| 04 | The breach erodes patient trust in healthcare systems meant to protect them, potentially causing people to avoid seeking necessary medical care or sharing complete health information with providers. | medium |
The Bottom Line
System working as designed · 4 points
| 01 | The nine-week intrusion, seven-month silence, and token remediation do not represent system failure but rather demonstrate how modern healthcare outsourcing converts patient trust into corporate risk capital. | high |
| 02 | DRH Health minimized costs by outsourcing debt collection, NRS under-invested in cybersecurity, and patients now shoulder the long-term burden of monitoring credit and protecting against identity theft. | high |
| 03 | Delay served as a tactical corporate asset, allowing executives to retain quarterly bonuses and vendors to negotiate narrative control while public attention moved to newer scandals. | medium |
| 04 | Until regulation forces companies to value patient data as a public health asset worthy of the same rigor as sterilized surgical instruments, communities will remain frontline casualties of profit-driven efficiency. | high |
Timeline of Events
May 5, 2024
Unknown actor begins gaining unauthorized access to Nationwide Recovery Services network and copying patient files
July 11, 2024
NRS detects the cybersecurity incident and begins internal investigation
February 14, 2025
NRS finally informs DRH Health that the breach may have impacted patient information
March 28, 2025
DRH completes review to identify affected individuals and begins mailing notifications
Direct Quotes from the Legal Record
QUOTE 1
Seven month notification delay
delay_tactics
“NRS did not inform DRH of the extent of the incident’s impact until February 14, 2025, when NRS sent a notice that the incident may have impacted the security of personal information relating to certain DRH patients.”
💡 The vendor waited seven months after detecting the breach before telling the hospital patients were at risk.
QUOTE 2
Breach duration
allegations
“NRS’s investigation into the issue determined that an unknown actor had gained unauthorized access to systems on NRS’s network from July 5, 2024 to July 11, 2024. During this time, the unknown actor copied files that were stored on one system.”
💡 The hacker spent over nine weeks systematically copying patient files before being detected.
QUOTE 3
Inconclusive investigation
allegations
“While NRS’s investigation could not conclusively determine the specific information involved for each individual, following types of personal information relating to you may have potentially been present within the copied files”
💡 Patients have no certainty about exactly what data was stolen because the investigation was incomplete.
QUOTE 4
Outsourcing decision
profit
“DRH has previously used NRS for various services, including payment collection.”
💡 The hospital chose to place patient data with a third party debt collector to reduce costs.
QUOTE 5
Work shifted to victims
community
“We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious or unauthorized activity.”
💡 The company tells victims to do ongoing security work rather than providing comprehensive protection.
QUOTE 6
Limited monitoring offered
profit
“As an added precaution, we are providing you with access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge.”
💡 DRH offers only single bureau monitoring instead of comprehensive three-bureau protection to minimize costs.
QUOTE 7
Self-enrollment required
community
“While DRH is covering the cost of these services, you will need to complete the activation process yourself.”
💡 Victims must spend their own time navigating enrollment instead of receiving automatic protection.
QUOTE 8
No evidence claim
pr_machine
“While we are not aware of any actual or attempted misuse of your information, out of an abundance of caution, we are providing you with this notice”
💡 The company minimizes a confirmed data theft by framing it as a hypothetical risk.
QUOTE 9
Digital divide barrier
community
“The enrollment requires an internet connection and e-mail account and may not be available to minors under the age of 18 years of age.”
💡 Rural patients without reliable internet face additional hurdles to protect themselves.
QUOTE 10
Regulatory notification without penalties
regulatory
“We are also notifying the Department of Health of Human Services of this incident.”
💡 The letter mentions notifying regulators but specifies no fines or enforcement actions.
QUOTE 11
Apology as minimization
pr_machine
“We apologize for any inconvenience this incident may cause.”
💡 A year-long security failure is reduced to a minor inconvenience through corporate language.
QUOTE 12
Priorities claim contradicted
profit
“the privacy, security, and confidentiality with which vendors treat our patients information is among our highest priorities”
💡 DRH claims vendor security is a top priority yet chose a vendor that allowed nine weeks of unauthorized file copying.
Frequently Asked Questions
What happened in this data breach?
An unknown hacker broke into the computer systems at Nationwide Recovery Services, a debt collector used by DRH Health. The hacker spent nine weeks copying patient files between May and July 2024. NRS detected the breach on July 11, 2024, but did not tell DRH Health until February 2025, seven months later. DRH then took another six weeks to notify patients.
How long did the hacker have access to patient files?
The hacker had unauthorized access from May 5, 2024 to July 11, 2024, a period of over nine weeks. During this time, the hacker copied files stored on at least one NRS system.
Why did it take almost a year to notify patients?
NRS waited seven months after detecting the breach before telling DRH Health that patient information was affected. DRH then spent six more weeks reviewing records and identifying patients. The notification letter provides no explanation for the seven-month delay by NRS.
What patient information was exposed?
The investigation could not conclusively determine what specific information was stolen for each patient. The letter indicates that personal information relating to patients may have potentially been present in the copied files, but does not specify exactly what data each person lost.
Why was my information at a debt collector?
DRH Health used Nationwide Recovery Services for various services including payment collection. When patients had outstanding medical bills, their personal and billing information was sent to this third party vendor outside the hospital’s direct control.
Is DRH Health still using Nationwide Recovery Services?
The notification letter does not say whether DRH continues to use NRS for debt collection or what security improvements have been required. No information is provided about whether the business relationship continues.
What credit monitoring is being offered?
DRH is offering single bureau credit monitoring, which tracks changes with only one of the three major credit bureaus. This is less comprehensive than three-bureau monitoring. You must enroll yourself online within a deadline specified in your letter, and the free monitoring lasts for a limited time period.
What should I do to protect myself?
Enroll in the credit monitoring offered in your notification letter. Place a security freeze on your credit reports with all three bureaus (Equifax, Experian, and TransUnion). Monitor your medical records for any unfamiliar treatments or prescriptions. Review all insurance explanation of benefits statements for services you did not receive. Consider filing a police report to document the breach for future fraud disputes.
Can I sue over this breach?
The breach involved confirmed unauthorized access, prolonged exposure, and a seven-month notification delay. These facts establish concrete harm and potential negligence. You may want to consult a consumer protection attorney to discuss whether you have grounds for legal action, especially if you experience identity theft or financial losses.
Has anyone been held accountable?
The notification letter names no executives at DRH Health or Nationwide Recovery Services. It mentions no fines, penalties, executive pay clawbacks, or security improvements. No one has been publicly identified as responsible for the breach or the seven-month notification delay.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
