Officers at Hamilton County in Tennessee have stated that the protected health information (PHI) of 14,081 people was exposed in a security incident at a business associate, Nationwide Recovery Service. Based on the notification letters, on July 14, 2024, the debt collection agency informed the Hamilton County Government concerning a cybersecurity incident that was happening during the time and mentioned more information would be given as the investigation continued. After seven months, on February 24, 2025, a letter sent to the Hamilton County Attorney’s Office provided news about the incident, validating that unauthorized access to the Nationwide Recovery Service network happened from July 5, 2024 to July 11, 2024. In that incident, the attacker stole files from its system.
The analysis showed that the following data were stolen: names, addresses, birth dates, financial account data, Social Security numbers, medical data, and other types of data given by Hamilton County associated with the collection of finances for overdue accounts.
Questions were brought up concerning the notification process. Mayor Weston Wamp of Hamilton County stated that the first “notice” sent by Nationwide Recovery Service in July 2024 wasn’t about a data breach since it advised about suspicious activity that was discovered. A data breach was just confirmed in February after the Attorney’s Office got the official breach notification letter.
Mayor Wamp additionally stated that the first time he knew about the data breach was on March 11, 2025. That was 15 days following the receipt of the data breach notice by the County Attorney’s Office and 6 days after the Baker Donelson law firm met about HIPAA compliance. The county government already knew about the breach before the meeting, although it was not shared with any person having oversight of the daily county government operations.
Mayor Wamp is the Chief Executive Officer of the Hamilton County government and is accountable for making sure that the government complies with all pertinent legislation. Nevertheless, that obligation is determined by prompt communication with the Mayor’s office. If critical data is not shared or is delayed, it undermines the county’s capability to work quickly and puts it at legal and reputational danger.
Hamilton County has stated that it will mail individual notification letters within 60 days as required by HIPAA. Talks are continuing concerning the measures that can be undertaken to make sure any future HIPAA incidents are conveyed to all concerned individuals promptly.