UChicago Medicine alerts 38,000 patients of data breach linked to third-party vendor

UChicago Medicine has notified approximately 38,000 patients of the UChicago Medicine Medical Group that their personal information may have been compromised in a cybersecurity breach involving a third-party vendor, Nationwide Recovery Services (NRS).

The medical institution reported being alerted in April 2025 by NRS, a Tennessee-based company that provides recovery management and collections services for healthcare organizations. According to the notice, the breach occurred between July 5 and July 11, 2024, when unauthorized access was gained to NRS systems. Files and folders containing sensitive data were accessed during the intrusion.

Information potentially exposed in the breach includes patient names, addresses, dates of birth, Social Security numbers, financial account details, and medical information provided to NRS in the course of its financial services on behalf of UChicago Medicine Medical Group.

UChicago Medicine clarified that the breach affected only patients of the UChicago Medicine Medical Group, and not those receiving care through the University of Chicago Medical Center. In response, the medical group has ended its relationship with Nationwide Recovery Services.

“UChicago Medicine Medical Group is committed to protecting the confidentiality and security of personal information,” the organization said in a public statement.

Efforts to inform affected individuals are underway. Patients with available mailing addresses are receiving direct notification by mail, while a public notice has been posted online for those without contact information on file. The medical group is advising patients to monitor their financial accounts and credit reports for any unusual activity and to remain vigilant for signs of fraud or identity theft.

NRS stated that it has not identified any misuse of the accessed information. However, the full scope of the breach may extend beyond UChicago Medicine. Other clients of Nationwide Recovery Services impacted by the same cybersecurity incident include the City of Chattanooga, MAK Anesthesia, Duncan Regional Hospital, Swedish Edmonds Hospital, and Smile Solutions of Goodlettsville.