Harbin Clinic Data Breach 2025: 176,149 Patients Exposed via Nationwide Recovery Services Vendor Hack. Class Action Filed. What To Do
Harbin Clinic, a multi-specialty physician group in Rome, Georgia, notified 176,149 patients after debt-collection vendor NRS was hacked in July 2024. Eight lawsuits were consolidated in federal court in August 2025. SSNs, financial account info, and medical-related data exposed. Kroll 24-month monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 5, 2024
Unauthorized access to NRS network begins (per forensic investigation)
Jul 11, 2024
NRS detects suspicious activity; unauthorized access ends
Feb 1, 2025
NRS completes review and informs Harbin Clinic that patient data was in copied files (February 2025)
Mar 1, 2025
NRS provides Harbin with the list of 210,140 affected individuals and the categories of data involved (March 2025)
May 16, 2025
Harbin Clinic begins mailing patient notification letters; HHS OCR filing posted (176,149 individuals)
May 20, 2025
Plaintiffs' firms (Strauss Borrelli, Edelson Lechtzin, Federman & Sherwood, Lynch Carpenter) publicly announce investigations
Jun 26, 2025
At least 8 individual class action complaints removed to N.D. Georgia federal court (Stout, Dean, Ellenburg, Hudgins, Nash, Rangel, Shutley, Staples). Harbin files third-party complaint against NRS.
Aug 4, 2025
Court grants Harbin Clinic's motion to consolidate 8 related actions; lead case Staples v. Harbin Clinic (4:25-cv-00130) before Judge William M. Ray II
Aug 7, 2025
Plaintiffs file Motion to Appoint Interim Class Counsel (Shamis & Gentile as lead)
Nov 25, 2025
Plaintiffs file status report regarding mediation
Jul 5, 2024
Unauthorized access to NRS network begins (per forensic investigation)
Jul 11, 2024
NRS detects suspicious activity; unauthorized access ends
Feb 1, 2025
NRS completes review and informs Harbin Clinic that patient data was in copied files (February 2025)
Mar 1, 2025
NRS provides Harbin with the list of 210,140 affected individuals and the categories of data involved (March 2025)
May 16, 2025
Harbin Clinic begins mailing patient notification letters; HHS OCR filing posted (176,149 individuals)
May 20, 2025
Plaintiffs' firms (Strauss Borrelli, Edelson Lechtzin, Federman & Sherwood, Lynch Carpenter) publicly announce investigations
Jun 26, 2025
At least 8 individual class action complaints removed to N.D. Georgia federal court (Stout, Dean, Ellenburg, Hudgins, Nash, Rangel, Shutley, Staples). Harbin files third-party complaint against NRS.
Aug 4, 2025
Court grants Harbin Clinic's motion to consolidate 8 related actions; lead case Staples v. Harbin Clinic (4:25-cv-00130) before Judge William M. Ray II
Aug 7, 2025
Plaintiffs file Motion to Appoint Interim Class Counsel (Shamis & Gentile as lead)
Nov 25, 2025
Plaintiffs file status report regarding mediation
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Harbin Clinic, a multi-specialty physician group headquartered in Rome, Georgia with locations across northwest Georgia and roughly 1,400 staff, began mailing breach notification letters on May 16, 2025 to 176,149 patients whose information was compromised in a hack of its debt-collection vendor, Nationwide Recovery Services, Inc. (NRS). The intrusion happened almost a year earlier, between July 5 and July 11, 2024, and was confined to NRS’s network. Harbin Clinic’s own systems were not accessed.
Harbin’s filing landed on the HHS OCR breach portal as a Hacking/IT Incident at a Network Server with a business associate involved. A separate filing with the Maine Attorney General put the total at 210,140 individuals. Harbin’s HHS OCR figure of 176,149 is the federally reported count and the one used on this page; the difference reflects scope and reporting-criteria variation between the two filings, not a correction.
The NRS hack is a multi-entity vendor breach affecting a large number of healthcare providers. As of July 2025, at least 15 NRS clients had reported downstream breaches to federal and state regulators, collectively accounting for more than 516,000 affected individuals across Georgia, Tennessee, New Jersey, Illinois, and other states. Harbin Clinic is the single largest downstream entity by affected count in the cluster.
Timeline
- July 5, 2024. Unauthorized access to NRS’s network begins, per the forensic investigation.
- July 11, 2024. NRS identifies suspicious activity. Access ends the same day.
- February 2025. NRS completes its review and informs Harbin that some of the copied files contained data on patients and guarantors whose accounts had been sent to collections or were involved in other legal proceedings.
- March 2025. NRS provides Harbin with the list of 210,140 affected individuals and the categories of data involved.
- May 16, 2025. Harbin Clinic begins sending notification letters; the HHS OCR portal entry (176,149 individuals) is posted.
- May 20–22, 2025. Plaintiffs’ firms publicly announce investigations.
- June 26, 2025. At least eight class action complaints are removed to U.S. District Court for the Northern District of Georgia. Harbin Clinic simultaneously files a third-party complaint against NRS.
- August 4, 2025. Court grants Harbin’s motion to consolidate all eight related actions. Lead case: Staples v. Harbin Clinic, LLC, et al. (4:25-cv-00130), assigned to Judge William M. Ray II.
- August 7, 2025. Plaintiffs file a Motion to Appoint Interim Class Counsel (Shamis & Gentile as lead movant).
- November 25, 2025. Plaintiffs file a status report regarding mediation. Litigation remains pending.
What was exposed
Per Harbin Clinic’s notification and the secondary reporting:
- Full name
- Address
- Date of birth
- Social Security number
- Financial account information
- Guarantor information
- Medical-related information
Threat actor attribution is disputed. Cybernews reported that the Cl0p ransomware group claimed responsibility for the NRS intrusion and posted stolen data to its dark-web leak site after NRS did not engage. However, The Record from Recorded Future News reported that “no cybercriminal group ever took credit for the attack” and that a ransom payment may explain the silence. The HIPAA Guide reached the same conclusion. Both positions are single-source and neither can be confirmed on the public record. The data-posting claim from Cybernews is about NRS’s stolen data set generally, not a Harbin-specific leak-site listing.
What Harbin is offering
Harbin Clinic is offering affected individuals a complimentary 24-month membership to Kroll identity monitoring services. The Kroll offering includes:
- Single-bureau credit monitoring
- Fraud consultation
- Identity theft restoration
Harbin has also advised affected individuals to remain vigilant against identity theft and fraud for the next 12 to 24 months.
Affected individuals can reach the dedicated breach call center at (866) 408-3081, open Monday through Friday, 9:00 a.m. to 6:30 p.m. Eastern Time, excluding major U.S. holidays. Questions can also be directed to the website referenced in notification letters.
Class-action posture
At least eight individual class action complaints against Harbin Clinic were filed in Georgia state and federal courts and subsequently removed to the U.S. District Court for the Northern District of Georgia. On August 4, 2025, the court consolidated all eight cases under the lead docket Staples v. Harbin Clinic, LLC, et al., Case No. 4:25-cv-00130, before Judge William M. Ray II. The other consolidated cases are: Nash v. Harbin Clinic (4:25-cv-00137), Hudgins v. Harbin Clinic (4:25-cv-00174), Shutley v. Harbin Clinic (4:25-cv-00175), Dean v. Harbin Clinic (4:25-cv-00176), Stout v. Harbin Clinic (4:25-cv-00177), Ellenburg v. Harbin Clinic (4:25-cv-00178), and Rangel v. Harbin Clinic.
On August 7, 2025, plaintiffs filed a motion to appoint interim class counsel. Harbin Clinic also filed a third-party complaint against NRS in the consolidated action. A plaintiffs’ status report on mediation was filed November 25, 2025. The litigation remains pending.
Separately, NRS itself is named as a defendant in approximately a dozen proposed federal class action lawsuits filed by other downstream victims, per BankInfoSecurity reporting as of July 2025.
Plaintiffs’ firms that publicly announced investigations include:
- Shamis & Gentile (Andrew Shamis — lead movant for interim class counsel)
- Edelson Lechtzin LLP
- Federman & Sherwood
- Strauss Borrelli PLLC
- Lynch Carpenter LLP
- Morgan & Morgan (ForThePeople.com)
What to do
- Enroll in the Kroll 24-month monitoring offered in your notification letter if you received one. The activation code is in the letter; the enrollment window is finite. For enrollment questions, call the dedicated breach hotline at (866) 408-3081, Monday through Friday, 9:00 a.m. to 6:30 p.m. Eastern Time.
- Place free credit freezes at Equifax, Experian, and TransUnion. Kroll’s offering is single-bureau monitoring, which is not a substitute for freezes at all three.
- Pull free credit reports at
annualcreditreport.comand watch for unfamiliar accounts, especially given that Social Security numbers and financial account information are in scope. - Watch for collections-related phishing. Because the exposed data set came from a debt-collection vendor and includes guarantor information, expect targeted scam calls and emails that reference real account details — callers may cite real balances or account numbers to seem credible.
- If Social Security numbers are involved, file IRS Form 14039 (Identity Theft Affidavit) with the IRS to flag your SSN and reduce the risk of fraudulent tax filings.
- Did not receive a letter but suspect you should have? Contact Harbin Clinic at the hotline above or write to its privacy officer. The Maine AG filing lists 210,140 individuals; the HHS OCR count is 176,149 — if your account was in collections or related legal proceedings at Harbin, you are likely in scope.
- Stop the ongoing flow of your medical and financial data to debt-collection vendors. HealthConsent files HIPAA restriction requests targeting the revenue-cycle and debt-collection pathways at your providers. That is the exact pathway that exposed your information in this breach — preventing your records from flowing to the next NRS-type vendor starts with a filed restriction request.
Sources
- HHS Office for Civil Rights Breach Portal — primary federal record (176,149).
- HIPAA Journal — Harbin Clinic / Nationwide Recovery Services data breach — timeline, data elements, Kroll offering.
- SecurityWeek — 200,000 Harbin Clinic Patients Impacted by NRS Data Breach — affected counts.
- Infosecurity Magazine — Debt Collector Data Breach — vendor context, Maine AG count (210,140).
- Cybernews — 210k patients hit after Georgia clinic’s vendor hack — Cl0p attribution claim and dark-web posting.
- The Record (Recorded Future News) — NRS breach exposes medical info of 500,000+ people — disputes attribution; “no cybercriminal group ever took credit”; cluster scope.
- HIPAA Guide — Victim Count of NRS Data Breach Grows to 516,000 — downstream entity cluster table, ransom-payment hypothesis.
- BankInfoSecurity — Nationwide Recovery Service Hack Grows to 500,000 Victims — approximately one dozen proposed class actions against NRS; vendor risk analysis.
- Northwest Georgia News (Rome) — Harbin Clinic Offering Protections After Vendor Data Breach — local coverage.
- ClassAction.org — Harbin Clinic Data Breach Lawsuit Investigation — plaintiffs’ firm activity.
- PacerMonitor — Staples v. Harbin Clinic LLC (4:25-cv-00130) — consolidation order, class counsel motion, mediation status.
- Harbin Clinic notification letter (via ClassAction.org) — Kroll activation, call center number (866) 408-3081.
- Lynch Carpenter announcement (GlobeNewswire) — investigation announcement.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal (primary federal record, 176,149 individuals)
- HIPAA Journal — Harbin Clinic / Nationwide Recovery Services data breach
- SecurityWeek — 200,000 Harbin Clinic Patients Impacted by NRS Data Breach
- Infosecurity Magazine — Debt Collector Data Breach Affects 200,000 Harbin Clinic Patients
- Cybernews — 210k patients hit after Georgia clinic's vendor hack (Cl0p attribution)
- Northwest Georgia News — Harbin Clinic Offering Protections After Vendor Data Breach (local Rome coverage)
- ClassAction.org — Harbin Clinic Data Breach Lawsuit Investigation
- Lynch Carpenter — Investigating Claims in Harbin Clinic Data Breach (GlobeNewswire)
- The Record (Recorded Future News) — NRS breach exposes medical info of 500,000+ across multiple providers
- HIPAA Guide — Victim Count of Nationwide Recovery Service Data Breach Grows to 516,000 Individuals (cluster table)
- BankInfoSecurity — Nationwide Recovery Service Hack Grows to 500,000 Victims
- PacerMonitor — Staples v. Harbin Clinic LLC (4:25-cv-00130), consolidation order and docket (N.D. Ga.)
- Harbin Clinic notification letter (via ClassAction.org) — Kroll activation details and call center number
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.