Georgia, New York residents sue over Cleveland, Tennessee, debt collections agency data breach

Four people this month have sued a Cleveland, Tennessee, debt collections agency in federal court following a July 2024 data breach.

Felicia Cooper, Charles Mitchell and Gary Self, all of Georgia, and Lisa Nail of New York have each filed lawsuits against Nationwide Recovery Services. They allege that the company, which acquired their personal data through its contracts with entities including governments, hospitals and other health care providers, violated federal guidelines and broke federal privacy laws.

The four plaintiffs argued, in separate complaints in federal court, that Nationwide was negligent in its cybersecurity practices. The data breach that exposed their information is itself evidence of bad practice, they said.

They said in their filings that Nationwide also delayed in notifying them of the breach, which could have increased the exposure of their private financial and medical information. Mitchell, Self and Cooper are also suing Vitruvian Health, a Georgia-based health care company that operates Hamilton Medical Center in Dalton as well as clinics in Cleveland and Collegedale. Rhea Medical Center in Dayton is listed as a defendant alongside Nationwide in Nail’s suit.

The four plaintiffs asked the court to recognize their suits as class actions, hold a jury trial and award them an unspecified amount of damages. Some of them also asked that Nationwide and other defendants surrender proceeds tied to the breached data and that the court compel the defendants to implement stronger cybersecurity controls and prevent “deceptive practices.”

Nationwide, Vitruvian and Rhea County Medical Center representatives did not respond to voicemails left requesting comments Wednesday.

(READ MORE: Memo: Hamilton County data breach has gone unreported)

BREACH TIMELINE

The breach started around July 5, according to the lawsuits. Hackers viewed the data in the system and removed some of it, the complaints said.

Nationwide discovered the breach July 11, and the company in February told Vitruvian and Rhea Medical Center that the breach could affect some of their patients.

The debt collector reported the breach to the Federal Trade Commission Sept. 9. When a data breach potentially affecting 500 or more people happens, the federal government requires a report to come within 60 days of an organization learning of the event.

Vitruvian wrote in letters to its patients that its systems were not affected by the breach and that Nationwide is reviewing its policies and adding safeguards to its systems. Rhea Medical Center staff said in a letter sent to Nail that as of late March they had no evidence the breach meant that any patient’s data had been misused, but that they were conducting their own investigations.

That’s not enough, the plaintiffs said in their lawsuits.

“Plaintiff and members of the proposed class are victims of defendants’ negligence and inadequate cyber security measures,” Mitchell’s complaint said. “Specifically, plaintiff and members of the proposed class trusted defendants with their sensitive information. But defendants betrayed that trust. Defendants failed to properly use up-to-date security practices to prevent the data breach.”

The plaintiffs said in their filings they started receiving notices their data may have been compromised in March and mid-April. Those delays and poor cybersecurity measures put the people whose data were contained in the breached system at serious risk, the lawsuits said.

The data included their Social Security numbers, addresses and birth dates.

(READ MORE: Hamilton County Sheriff’s Office shuts down online systems after attempted breach)

DATA EXPOSURE

How many people had their data exposed in the breach is unknown now, according to Self’s complaint, as some organizations that contracted with Nationwide have not yet notified people whose data were exposed.

Mitchell’s suit says that the breach could have compromised the data of more than 88,000 people. Rhea Medical Center is trying to notify 8,309 people of the breach, according to an exhibit attached to Nail’s lawsuit.

The Hamilton County government also used Nationwide’s services, and its privacy officer earlier this year said in a memo that more than 14,000 people were affected from the breach of the county’s EMS system data during the Nationwide hack.

Hamilton County, like Vitruvian and Rhea Medical Center, in recent weeks has begun sending out notices to people who might have been affected by the data breach. An attorney for the city of Chattanooga also sent a letter to Nationwide demanding its representatives notify people whose data might have been exposed. The city on Tuesday opted to end a contract with the collector.

Contact Mariah Franklin at mfranklin@timesfreepress.com or 423-757-6354.