Cyber attack on collection agency compromised Vitruvian Health’s patient data

Texas-based Vitruvian Health said a data security incident suffered by one of its service providers last year compromised the sensitive personal information of more than 85,000 individuals.

 

Headquartered in Dalton, Texas, Hamilton Healthcare System, doing business as Vitruvian Health, offers a range of services from mental health treatment to general medicine. The healthcare company operates a 25-bed surgical hospital, three clinics, a special care clinic, a wellness centre and EMS service.

 

In a data security incident notice filed with the Office of Maine Attorney General, Vitruvian Health said that on July 11, 2024, Nationwide Recovery Service, a third-party collection agency that offers its services to the healthcare provider, suffered a security incident that affected its internal network.

 

“The NRS investigation revealed that an unauthorised individual accessed NRS Systems from July 5, 2024 to July 11, 2024 and removed data from the system. Vitruvian Health was notified by NRS on February 24, 2025, that our patients’ information was amongst the data affected by this incident,” reads the notice.

 

The compromised data included patients’ names, addresses, Social Security numbers, dates of birth, financial account information and other medical information of Vitruvian Health’s patients. In the filing with the Maine state regulator, the healthcare provider said it has identified at least 88,848 individuals who were impacted by the incident.

 

Vitruvian Health added its internal network wasn’t affected and that the incident was limited to NRS systems.

 

“NRS has assured Vitruvian Health that NRS has implemented additional data security safeguards and reviewed its existing policies to improve its security posture to help prevent a similar incident from occurring in the future. Notifications have been provided to law enforcement and the credit monitoring bureaus,” Vitruvian Health added.

 

The healthcare provider has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. It has also offered one year of complimentary credit monitoring and identity theft protection services via IDX to all affected individuals.

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on NRS. The collection agency also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.