UChicago Medicine Severs Vendor Ties Following Data Breach, Reframes Risk in Third-Party Partnerships

UChicago Medicine Medical Group has officially ended its relationship with Nationwide Recovery Services (NRS) after a cybersecurity breach compromised sensitive personal data tied to debt collection and recovery activities. The breach, which occurred between July 5 and July 11, 2024, enabled an unauthorized party to access data from NRS systems, including files containing patient names, birthdates, Social Security numbers, financial account information, and potentially medical-related financial data.

While NRS reported no current evidence of misuse, UChicago took decisive action to terminate the partnership. The organization has also begun notifying affected patients and urging vigilance around fraud, identity theft, and anomalous medical claims. UChicago’s statement reflects a broader industry trend of distancing from vendors unable to meet escalating cybersecurity expectations, especially those handling financial or health-related data with increasing risk exposure.

The incident comes amid a sustained rise in healthcare data breaches, most notably the March 2025 event at Yale New Haven Health that exposed data belonging to over 5 million individuals. In both cases, external cybersecurity investigations confirmed unauthorized access and data exfiltration. For Yale, the compromised fields included not just contact and demographic data but also race, ethnicity, and in some cases Social Security numbers which is a stark reminder of how far beyond basic billing data these breaches now reach.

Industry data continue to underscore the systemic risk. A recent report from KnowBe4 found that healthcare remains the most expensive industry for data breaches, with the average cost now nearing $11 million per event. More than 70 percent of these attacks involve ransomware, not just denial-of-service tools but full-blown data theft and extortion operations.

The breach at NRS reopens a longstanding risk management question in healthcare IT: How should health systems govern downstream vendors who hold sensitive data but fall outside of core clinical or operational purview? Many collection agencies, claims processors, and analytics vendors operate under business associate agreements that technically require HIPAA compliance. Yet enforcement is often lax until a breach has already occurred.

The reality is that financial services vendors often aggregate some of the most breach-prone information: identifiable personal data combined with billing, insurance, and sometimes partial clinical documentation. As a result, they are prime targets but often lack the capital or culture to mount modern defenses.

In response, some health systems are beginning to revisit the very premise of vendor delegation for revenue cycle functions. Insourcing of select collections processes, stricter business associate contract requirements, and real-time audit tooling are rising to the top of CIO risk agendas. And in the case of UChicago, reputational risk was clearly enough to justify severing ties.

The breach will not be the last, but it may signal a shift in institutional posture. When a partner fails to protect patient data, cutting ties may now be the opening move and not the end of the conversation. For health systems navigating a volatile threat environment, third-party accountability is fast becoming a pillar of cybersecurity strategy.