Rhea Medical Center Data Breach Affects 8,309 Patients

In early July 2024, Rhea Medical Center, a non-profit hospital in Dayton, Tennessee, was impacted by a data breach involving its business associate, Nationwide Recovery Service, Inc. (NRS). NRS, which provides debt collection services for Rhea Medical Center, detected suspicious activity on its network that led to a system outage. After immediate action to secure their environment, NRS launched an investigation and determined that unauthorized access to their network occurred between July 5, 2024, and July 11, 2024. During this time, certain files and folders were copied from their systems.

The breach review revealed that files containing sensitive information related to 8,309 Rhea Medical Center patients were compromised. The exposed data included both personally identifiable information (PII) and protected health information (PHI): names, addresses, Social Security numbers, financial information, and medical information.

The breach originated from an internal compromise of NRS’s network, not from Rhea Medical Center’s own systems. The incident was discovered by NRS on July 11, 2024, and after a thorough investigation to determine the scope and impact, Rhea Medical Center was notified that its patients’ data was involved. Full details and the official breach notice are available in the public disclosure posted by Rhea Medical Center.

Rhea Medical Center's response

Upon learning of the breach, Rhea Medical Center’s HIPAA Privacy Officer immediately notified legal counsel and began both internal and external investigations to determine the extent of the incident. The hospital is currently in the process of notifying all 8,309 potentially affected patients by mail at their last known addresses, in addition to this public notification.

Given the severity of the breach and the types of data involved, Rhea Medical Center recommends that affected individuals take several precautions:

• Review account statements and credit reports for any suspicious activity.
• Consider placing a fraud alert or security freeze on your credit file.
• Report any suspicious activity to your financial institution and law enforcement.
• Monitor your credit by obtaining a free credit report annually from each of the three major credit reporting agencies (Equifax, Experian, and TransUnion) through AnnualCreditReport.com.

If you have questions or need additional support, you can contact the Rhea Medical Center HIPAA Privacy Office by phone at 1-877-891-0986. For more information about the breach and steps you can take, refer to the official breach notification PDF on the hospital’s website.