County officials said a data breach affected 14,081 individuals, and notices are now going out.
Officials said, "Hamilton County Government is a Covered Entity under HIPAA. Recently, its business associate, Nationwide Recovery Service, Inc. suffered a cybersecurity breach reportedly affecting 14,081 individuals.
"HIPAA requires a Covered Entity to provide notification to prominent media outlets serving the State or jurisdiction where more than 500 residents have been affected by a breach of their protected health information and where greater than 10 individuals’ mailing addresses are insufficient to provide notice by first class mail.
"Greater than 500 residents living in Tennessee and Georgia were affected and more than 10 individuals’ mailing addresses are insufficient to provide notice by first class mail."
Here is the county's Breach Notification:
HIPAA requires notice to individuals when there has been a breach of their protected health information (“PHI”). You are receiving this letter as part of Hamilton County’s compliance with HIPAA.
Nationwide Recovery Service is a business associate (agent) of Hamilton County Government that provides debt collection services for delinquent accounts for various departments, offices and organizational components of Hamilton County Government. On July 14, 2024, Hamilton County Government received an email from NRS with an attached letter.
The letter confirmed NRS had suffered a cybersecurity event that was reported to federal law enforcement. NRS said its investigation was ongoing and that additional information would be provided as it became available.
On Monday, February 24, 2025, the Hamilton County Attorney’s Office received a letter via U.S.Mail from NRS supplementing their July 14, 2024, notice. The letter stated that NRS’s investigation recently found that there was unauthorized access to the NRS network between July 5, 2024, and July 11, 2024, and that certain files and folders were copied from the system. NRS determined that the compromised information potentially included names, addresses, Social Security numbers, dates of birth, financial account information and/or medical related information, among other information provided to NRS by Hamilton County.
Hamilton County’s (HCG) response to this breach:
1. Monday, February 24, 2025, the Hamilton County HIPAA Privacy Officer (“Privacy Officer”) was made aware of the breach, and promptly notified the Hamilton County Attorney, Rheubin Taylor, and the Hamilton County Compliance Task Force Chairman, Commissioner, David Sharpe. The same day, the Privacy Officer began an investigation, both internally and externally, of the reported “incident.”
2. Monday, March 3, 2025, EMS Billing (a department of Hamilton County Government) emailed to the County Attorney’s Office a copy of the letter from NRS supplementing their July 14, 2024, notice regarding “Nationwide Recovery Services, Inc. Data Security Event.”
3. Privacy Officer was told by EMS Billing staff that no PHI was transmitted to NRS from July 5, 2024 through July 11, 2024.
4. Wednesday, March 5, 2025, at 3:12 p.m., in response to her investigation, the HIPAA Privacy Officer received email notice from NRS that 14,084 individuals’ protected health information was in the NRS system that was breached.
5. Tuesday, March 11, 2025, the County Attorney’s Office provided written notification to the Mayor’s Office and the Hamilton County Commission regarding the extent of the breach, the notification periods and requirements, and the need for additional resources to comply with the Breach Notification Rule.
6. Wednesday, March 19, 2025, the County Attorney provided additional information to the Mayor’s Office and the Hamilton County Commission.
7. Although the Hamilton County HIPAA investigation continues, it is the recommendation of the Privacy Officer that immediate preliminary notification be made to the Secretary of Health and Human Services and to the media for patient notification, as required by HIPAA. Additional supplemental information will be provided upon completion of the investigation.
8. Notification will be sent to the affected individuals as soon as the Hamilton County HIPAA investigation is complete and all mailing addresses are verified.
Steps you should take to protect yourself from potential harm resulting from the breach:
1. Monitor your credit. By law, you can obtain a free credit report each year from each of the three credit reporting agencies (CRAs). These agencies include Equifax, Experian, and TransUnion. AnnualCreditReport.com is the only website authorized by the federal government to issue free, annual credit reports from the three CRAs. You may request your reports: • Online by visiting AnnualCreditReport.com • By calling 1-877-322-8228 (TTY: 1-800-821-7232) • By filling out the Annual Credit Report request form and mailing it to:o Annual Credit Report Request Service PO Box 105281 Atlanta, GA 30348-5281
2. Monitor your medical record. A medical provider includes your doctor, hospital, therapist, and any individual or organization that provides health care services to you. When you have an appointment with your provider, ask for a copy of your visit summary. Read through your visit summary to make sure the information is about you and is correct. If you have any questions about the information in your visit summary, ask your provider to review it with you. If errors are found, ask your provider to make a correction. You do not have to wait for a future appointment. HIPAA gives you the right to review your medical record at any time and the right to request changes. Ask your provider for a copy of their Notice of Privacy Practices or their policy about your rights to access and request changes to your record.
Hamilton County sincerely regrets that this has happened, and apologizes for any inconvenience this breach may have caused our citizens. Hamilton County Government is committed to providing quality patient care, including protecting your personal information.
If you have any questions, please contact our HIPAA Privacy Officer, Angela Duncan, by phone at 1-833-484-8671 or by email at HIPAA@HamiltonTN.gov. Please include the words “HIPAA Breach” in the subject line of your email.