Active breach tracker Rome, Georgia Disclosed May 16, 2025

Harbin Clinic Data Breach 2025: 176,149 Patients Exposed via Nationwide Recovery Services Vendor Hack. Class Action Filed. What To Do

Harbin Clinic, a multi-specialty physician group in Rome, Georgia, notified 176,149 patients after debt-collection vendor NRS was hacked in July 2024. Eight lawsuits were consolidated in federal court in August 2025. SSNs, financial account info, and medical-related data exposed. Kroll 24-month monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 5, 2024

Unauthorized access to NRS network begins (per forensic investigation)

Jul 11, 2024

NRS detects suspicious activity; unauthorized access ends

Feb 1, 2025

NRS completes review and informs Harbin Clinic that patient data was in copied files (February 2025)

Mar 1, 2025

NRS provides Harbin with the list of 210,140 affected individuals and the categories of data involved (March 2025)

May 16, 2025

Harbin Clinic begins mailing patient notification letters; HHS OCR filing posted (176,149 individuals)

May 20, 2025

Plaintiffs' firms (Strauss Borrelli, Edelson Lechtzin, Federman & Sherwood, Lynch Carpenter) publicly announce investigations

Jun 26, 2025

At least 8 individual class action complaints removed to N.D. Georgia federal court (Stout, Dean, Ellenburg, Hudgins, Nash, Rangel, Shutley, Staples). Harbin files third-party complaint against NRS.

Aug 4, 2025

Court grants Harbin Clinic's motion to consolidate 8 related actions; lead case Staples v. Harbin Clinic (4:25-cv-00130) before Judge William M. Ray II

Aug 7, 2025

Plaintiffs file Motion to Appoint Interim Class Counsel (Shamis & Gentile as lead)

Nov 25, 2025

Plaintiffs file status report regarding mediation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Address Financial account information Guarantor information Medical-related information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Shamis & Gentile / multiple co-counsel firms (filed — 8 cases consolidated, N.D. Ga., Staples v. Harbin Clinic 4:25-cv-00130, lead case) Edelson Lechtzin LLP (investigating; Edelson Lechtzin announced investigation May 19, 2025) Federman & Sherwood (investigating) Strauss Borrelli PLLC (investigating) Lynch Carpenter LLP (investigating) Morgan & Morgan / ForThePeople (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Harbin Clinic, a multi-specialty physician group headquartered in Rome, Georgia with locations across northwest Georgia and roughly 1,400 staff, began mailing breach notification letters on May 16, 2025 to 176,149 patients whose information was compromised in a hack of its debt-collection vendor, Nationwide Recovery Services, Inc. (NRS). The intrusion happened almost a year earlier, between July 5 and July 11, 2024, and was confined to NRS’s network. Harbin Clinic’s own systems were not accessed.

Harbin’s filing landed on the HHS OCR breach portal as a Hacking/IT Incident at a Network Server with a business associate involved. A separate filing with the Maine Attorney General put the total at 210,140 individuals. Harbin’s HHS OCR figure of 176,149 is the federally reported count and the one used on this page; the difference reflects scope and reporting-criteria variation between the two filings, not a correction.

The NRS hack is a multi-entity vendor breach affecting a large number of healthcare providers. As of July 2025, at least 15 NRS clients had reported downstream breaches to federal and state regulators, collectively accounting for more than 516,000 affected individuals across Georgia, Tennessee, New Jersey, Illinois, and other states. Harbin Clinic is the single largest downstream entity by affected count in the cluster.

Timeline

  • July 5, 2024. Unauthorized access to NRS’s network begins, per the forensic investigation.
  • July 11, 2024. NRS identifies suspicious activity. Access ends the same day.
  • February 2025. NRS completes its review and informs Harbin that some of the copied files contained data on patients and guarantors whose accounts had been sent to collections or were involved in other legal proceedings.
  • March 2025. NRS provides Harbin with the list of 210,140 affected individuals and the categories of data involved.
  • May 16, 2025. Harbin Clinic begins sending notification letters; the HHS OCR portal entry (176,149 individuals) is posted.
  • May 20–22, 2025. Plaintiffs’ firms publicly announce investigations.
  • June 26, 2025. At least eight class action complaints are removed to U.S. District Court for the Northern District of Georgia. Harbin Clinic simultaneously files a third-party complaint against NRS.
  • August 4, 2025. Court grants Harbin’s motion to consolidate all eight related actions. Lead case: Staples v. Harbin Clinic, LLC, et al. (4:25-cv-00130), assigned to Judge William M. Ray II.
  • August 7, 2025. Plaintiffs file a Motion to Appoint Interim Class Counsel (Shamis & Gentile as lead movant).
  • November 25, 2025. Plaintiffs file a status report regarding mediation. Litigation remains pending.

What was exposed

Per Harbin Clinic’s notification and the secondary reporting:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Financial account information
  • Guarantor information
  • Medical-related information

Threat actor attribution is disputed. Cybernews reported that the Cl0p ransomware group claimed responsibility for the NRS intrusion and posted stolen data to its dark-web leak site after NRS did not engage. However, The Record from Recorded Future News reported that “no cybercriminal group ever took credit for the attack” and that a ransom payment may explain the silence. The HIPAA Guide reached the same conclusion. Both positions are single-source and neither can be confirmed on the public record. The data-posting claim from Cybernews is about NRS’s stolen data set generally, not a Harbin-specific leak-site listing.

What Harbin is offering

Harbin Clinic is offering affected individuals a complimentary 24-month membership to Kroll identity monitoring services. The Kroll offering includes:

  • Single-bureau credit monitoring
  • Fraud consultation
  • Identity theft restoration

Harbin has also advised affected individuals to remain vigilant against identity theft and fraud for the next 12 to 24 months.

Affected individuals can reach the dedicated breach call center at (866) 408-3081, open Monday through Friday, 9:00 a.m. to 6:30 p.m. Eastern Time, excluding major U.S. holidays. Questions can also be directed to the website referenced in notification letters.

Class-action posture

At least eight individual class action complaints against Harbin Clinic were filed in Georgia state and federal courts and subsequently removed to the U.S. District Court for the Northern District of Georgia. On August 4, 2025, the court consolidated all eight cases under the lead docket Staples v. Harbin Clinic, LLC, et al., Case No. 4:25-cv-00130, before Judge William M. Ray II. The other consolidated cases are: Nash v. Harbin Clinic (4:25-cv-00137), Hudgins v. Harbin Clinic (4:25-cv-00174), Shutley v. Harbin Clinic (4:25-cv-00175), Dean v. Harbin Clinic (4:25-cv-00176), Stout v. Harbin Clinic (4:25-cv-00177), Ellenburg v. Harbin Clinic (4:25-cv-00178), and Rangel v. Harbin Clinic.

On August 7, 2025, plaintiffs filed a motion to appoint interim class counsel. Harbin Clinic also filed a third-party complaint against NRS in the consolidated action. A plaintiffs’ status report on mediation was filed November 25, 2025. The litigation remains pending.

Separately, NRS itself is named as a defendant in approximately a dozen proposed federal class action lawsuits filed by other downstream victims, per BankInfoSecurity reporting as of July 2025.

Plaintiffs’ firms that publicly announced investigations include:

  • Shamis & Gentile (Andrew Shamis — lead movant for interim class counsel)
  • Edelson Lechtzin LLP
  • Federman & Sherwood
  • Strauss Borrelli PLLC
  • Lynch Carpenter LLP
  • Morgan & Morgan (ForThePeople.com)

What to do

  1. Enroll in the Kroll 24-month monitoring offered in your notification letter if you received one. The activation code is in the letter; the enrollment window is finite. For enrollment questions, call the dedicated breach hotline at (866) 408-3081, Monday through Friday, 9:00 a.m. to 6:30 p.m. Eastern Time.
  2. Place free credit freezes at Equifax, Experian, and TransUnion. Kroll’s offering is single-bureau monitoring, which is not a substitute for freezes at all three.
  3. Pull free credit reports at annualcreditreport.com and watch for unfamiliar accounts, especially given that Social Security numbers and financial account information are in scope.
  4. Watch for collections-related phishing. Because the exposed data set came from a debt-collection vendor and includes guarantor information, expect targeted scam calls and emails that reference real account details — callers may cite real balances or account numbers to seem credible.
  5. If Social Security numbers are involved, file IRS Form 14039 (Identity Theft Affidavit) with the IRS to flag your SSN and reduce the risk of fraudulent tax filings.
  6. Did not receive a letter but suspect you should have? Contact Harbin Clinic at the hotline above or write to its privacy officer. The Maine AG filing lists 210,140 individuals; the HHS OCR count is 176,149 — if your account was in collections or related legal proceedings at Harbin, you are likely in scope.
  7. Stop the ongoing flow of your medical and financial data to debt-collection vendors. HealthConsent files HIPAA restriction requests targeting the revenue-cycle and debt-collection pathways at your providers. That is the exact pathway that exposed your information in this breach — preventing your records from flowing to the next NRS-type vendor starts with a filed restriction request.

Sources

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.