As first reported by CBS News, nearly 40,000 patients affiliated with the UChicago Medical Group—not the University of Chicago Medical Center—were affected by a breach tied to Nationwide Recovery Services, a third-party debt collection vendor.
Source: civicengagement.uchicago.edu.
The vendor notified UChicago Medicine of the incident in April 2025, months after a July 2024 cyberattack compromised patients’ names, birthdates, Social Security numbers, medical details, and financial information.
The hospital system has since terminated its relationship with the vendor and is directly notifying affected individuals. Security experts noted that third-party breaches are especially concerning due to the difficulty in monitoring outsourced data flows. This incident adds to a growing trend of cyberattacks targeting healthcare organizations, with other recent breaches impacting Loretto Hospital and Lurie Children’s Hospital, where attackers even attempted to auction stolen data on the dark web.
Experts emphasize that while healthcare systems often operate under tight budgets, the growing frequency and severity of breaches demand proactive cybersecurity measures. Patients are urged to freeze their credit, monitor financial accounts, and be cautious of phishing scams.
As attackers increasingly disregard healthcare’s once-taboo status, incidents like this highlight a sector struggling to keep pace with rising cyber threats.
