Hamilton County investigates data breach affecting 14,000 ambulance customers

Hamilton County officials are preparing to notify approximately 14,000 ambulance customers whose private information may have been compromised in a data breach involving a county contractor, according to Mayor Weston Wamp. The breach, linked to Nationwide Recovery Services, a debt collection agency based in Cleveland, Tennessee, was publicly revealed last week following a report by the Chattanooga Times Free Press.

The breach was first referenced in a confidential memo from the county attorney’s office dated March 11, which suggested that county officials were alerted as early as July 2024 but failed to notify affected individuals within the 60-day legal window. However, Wamp disputed that timeline on Tuesday, arguing that the county was not officially notified of a breach until February 2025.

The issue centers on an email sent by Nationwide Recovery Services in July, which mentioned "suspicious activity" in its network but did not explicitly refer to a data breach. The email stated that the company was investigating a cybersecurity incident but had not yet determined its full scope or impact.

According to Wamp, that email did not meet the legal criteria for a data breach notification. "It’s very clearly not a notification," he stated. "In fact, the word ’breach’ is not in the email."

A more formal notice arrived months later, in a Feb. 17 letter received by the county on Feb. 24. That letter confirmed the breach and indicated that potentially compromised information included names, addresses, Social Security numbers, dates of birth, financial account details, and medical information. Officials asserted Tuesday that this letter triggered the 60-day notification requirement.

Despite this, Nationwide Recovery Services had informed the U.S. Department of Health and Human Services (HHS) of the breach months earlier, reporting a "hacking/IT incident" on Sept. 9, 2024. The company’s February letter to the county reiterated that it had "no evidence to suggest there has been identity theft or fraud" but was providing notice as a precaution.