Nova Recovery Center Data Breach: 6,242 Patients Affected in May 2025 Cyberattack

Nova Recovery Center, LLC, a Texas-based healthcare provider specializing in addiction recovery services, suffered a significant data breach in May 2025 that compromised the personal information of 6,242 individuals. The incident, which involved a targeted cyberattack on the organization's computer systems, has since resulted in a class action lawsuit and settlement offering up to $5,000 per affected individual.

What Happened

In May 2025, Nova Recovery Center's network servers were compromised in what the organization described as a "targeted cyberattack." The breach was classified as a hacking/IT incident that allowed unauthorized actors to access certain files containing private patient information stored on the company's network servers.

The breach was reported to the Department of Health and Human Services (HHS) on July 24, 2025, appearing on the HHS Wall of Shame—the federal database that tracks healthcare data breaches affecting 500 or more individuals. This reporting timeline suggests the organization discovered the incident sometime between the May attack and the July reporting date, though specific discovery details have not been publicly disclosed.

The cyberattack specifically targeted Nova Recovery Center's computer systems, with threat actors successfully accessing files that contained sensitive personal information belonging to patients and potentially staff members.

Who Is Affected

The data breach impacted 6,242 individuals who had their personal information stored on Nova Recovery Center's compromised network servers. Given that Nova Recovery Center specializes in addiction recovery services, the affected individuals likely include:

• Current and former patients receiving addiction treatment
• Family members involved in treatment programs
• Healthcare providers and staff members
• Insurance contacts and emergency contacts listed in patient files

The breach particularly affects individuals in Texas, where Nova Recovery Center operates, though patients from other states who received services at the facility may also be impacted.

Breach Details

While Nova Recovery Center has not released comprehensive details about the specific nature of the cyberattack, the incident has been classified as a network server breach resulting from hacking activities. The attackers were able to access "certain files that contained private information," though the exact types of data compromised have not been fully detailed in public disclosures.

The breach occurred during a time when healthcare organizations have faced increasing cybersecurity threats, particularly those serving vulnerable populations like individuals seeking addiction recovery services. These facilities often store highly sensitive information including:

• Medical records and treatment histories
• Social Security numbers
• Insurance information
• Personal contact details
• Mental health and substance abuse records
• Financial information

The targeted nature of the attack suggests sophisticated threat actors may have specifically chosen Nova Recovery Center, potentially recognizing the sensitive nature of addiction treatment records and their value on illegal markets.

Legal Action and Settlement

The data breach has resulted in significant legal consequences for Nova Recovery Center. A class action lawsuit, Glover v. Nova Recovery LLC d/b/a Nova Recovery Center (Case No. 25-2312-DCE), was filed in the District Court of Hays County, Texas.

The plaintiff in the case alleged that Nova Recovery Center "failed to adequately protect the sensitive personal data of its clients." This allegation suggests that the breach may have been preventable with proper cybersecurity measures and data protection protocols in place.

A settlement has been reached in the class action lawsuit, offering compensation to affected individuals. Under the terms of the settlement, individuals whose information was compromised in the May 2025 Nova Recovery Center data breach may be eligible to claim up to $5,000. This substantial settlement amount reflects the serious nature of the breach and the particularly sensitive nature of addiction treatment records.

What This Means for Patients

For the 6,242 individuals affected by this breach, the exposure of their personal information poses several significant risks:

Identity Theft Risk: With personal information in the hands of cybercriminals, affected individuals face increased risk of identity theft and fraudulent account creation.

Medical Identity Theft: Compromised healthcare information could be used to obtain medical services fraudulently or to access prescription medications illegally.

Stigma and Discrimination: Given that this breach involved addiction treatment records, affected individuals may face particular vulnerability if their treatment history becomes public or is used maliciously.

Financial Impact: The settlement recognizes the potential financial harm to victims, offering up to $5,000 per affected individual to compensate for damages and protective measures.

How to Protect Yourself

If you were a patient at Nova Recovery Center and believe you may have been affected by this breach, take these protective steps:

Monitor Your Credit: Regularly check your credit reports from all three major credit bureaus for unauthorized accounts or inquiries.

Watch Financial Statements: Review bank statements, credit card bills, and insurance statements for suspicious activity.

Consider Credit Freezes: Place security freezes on your credit files to prevent unauthorized account opening.

Monitor Healthcare Benefits: Watch for unexpected medical bills or insurance claims that might indicate medical identity theft.

Participate in Settlement: If eligible, consider participating in the class action settlement to receive compensation and any additional protective services offered.

Stay Alert for Phishing: Be cautious of emails, calls, or texts that might be attempts to exploit information gained from the breach.

Prevention Lessons for Healthcare Providers

The Nova Recovery Center breach offers important lessons for healthcare organizations, particularly those serving vulnerable populations:

Implement Robust Cybersecurity: Healthcare providers must invest in comprehensive cybersecurity measures including network monitoring, intrusion detection, and regular security assessments.

Employee Training: Staff should receive ongoing cybersecurity training to recognize and prevent social engineering attacks and other common threat vectors.

Data Minimization: Organizations should limit the amount of sensitive data stored and ensure that unnecessary personal information is securely disposed of according to HIPAA requirements.

Incident Response Planning: Having a comprehensive breach response plan can minimize damage and ensure proper notification procedures are followed.

Regular Security Audits: Periodic security assessments can identify vulnerabilities before they are exploited by malicious actors.

Vendor Management: Third-party vendors and business associates should be thoroughly vetted and monitored for security compliance.

The substantial settlement in this case demonstrates that courts and regulators are taking healthcare data protection seriously, particularly when vulnerable populations are involved. Healthcare providers must prioritize cybersecurity not just for compliance purposes, but to protect their patients' most sensitive information and maintain the trust essential to effective treatment relationships.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.