Select Medical Data Breach Exposes 119,525 Patient Records Through Third-Party Vendor

Select Medical Holdings Corporation, a Pennsylvania-based healthcare provider, recently disclosed a significant data breach that compromised the personal and health information of 119,525 individuals. The breach, reported to the Department of Health and Human Services on June 6, 2025, occurred through a third-party vendor and highlights the ongoing cybersecurity challenges facing healthcare organizations.

What Happened

The Select Medical data breach was not a direct attack on the healthcare provider's systems, but rather occurred through a business associate relationship. According to the breach notification, Nationwide Recovery Services, Inc. ("NRS"), a debt collection services provider and now-former vendor of Select Medical Holdings, experienced a data security incident that resulted in unauthorized access to information pertaining to certain individuals affiliated with Select Medical.

This incident represents a classic example of a third-party or "downstream" data breach, where healthcare providers become victims of security failures at their business associates or vendors. The breach was classified as a hacking/IT incident affecting the organization's network server infrastructure.

Who Is Affected

The breach impacted 119,525 individuals who had relationships with Select Medical and whose information was processed by NRS as part of their debt collection services. Select Medical is a major healthcare provider operating rehabilitation hospitals, outpatient rehabilitation clinics, and other healthcare facilities primarily in Pennsylvania and across multiple states.

The affected individuals likely include:

• Current and former patients of Select Medical facilities
• Individuals who received services at Select Medical hospitals or clinics
• Patients whose accounts were referred to NRS for collection activities

Breach Details

While the full technical details of the incident remain limited in public disclosures, several key facts have emerged:

Third-Party Involvement: The breach occurred at Nationwide Recovery Services, Inc., which provided debt collection services to Select Medical. This arrangement made NRS a business associate under HIPAA regulations, requiring them to maintain appropriate safeguards for protected health information.

Data Type: The incident involved both sensitive personal identifiable information (PII) and protected health information (PHI), making it particularly concerning from both privacy and healthcare compliance perspectives.

Timeline: The breach was reported to HHS on June 6, 2025, though the exact date of the initial security incident and discovery timeline have not been publicly disclosed.

Legal Action: Strauss Borrelli PLLC, a leading data breach law firm, has announced they are investigating the Select Medical data breach, indicating potential class action litigation may be forthcoming.

What This Means for Patients

For the 119,525 affected individuals, this breach creates several immediate and long-term concerns:

Identity Theft Risk: With both PII and PHI exposed, affected patients face elevated risks of identity theft, medical identity theft, and financial fraud. Medical identity theft can be particularly damaging as it may result in incorrect information being added to medical records.

Financial Implications: Since the breach occurred at a debt collection agency, financial information related to medical debts may have been compromised, potentially leading to fraudulent debt collection attempts or credit manipulation.

Privacy Violations: The unauthorized access to health information represents a significant privacy violation that may affect patients' trust in their healthcare providers and the broader healthcare system.

Ongoing Monitoring Needs: Affected individuals will need to monitor their credit reports, medical records, and insurance statements for signs of fraudulent activity for years to come.

How to Protect Yourself

If you believe you may have been affected by this breach, take these immediate steps:

Monitor Your Accounts: Regularly check bank accounts, credit cards, and medical insurance statements for unauthorized activity or unfamiliar charges.

Review Credit Reports: Obtain free credit reports from all three major credit bureaus (Equifax, Experian, and TransUnion) and review them for accounts or inquiries you don't recognize.

Consider Credit Freezes: Place security freezes on your credit files to prevent new accounts from being opened without your permission.

Watch for Suspicious Communications: Be alert for unexpected bills, collection notices, or communications about medical services you didn't receive.

Keep Records: Maintain documentation of any suspicious activity or communications related to the breach.

Stay Informed: Monitor for updates from Select Medical regarding the breach investigation and any additional protective measures being offered.

Prevention Lessons for Healthcare Providers

This incident offers several important lessons for healthcare organizations:

Vendor Risk Management: Healthcare providers must implement comprehensive due diligence processes when selecting business associates and regularly assess their security practices. The Select Medical breach demonstrates that organizations can be held accountable for their vendors' security failures.

Business Associate Agreements: Ensure all business associate agreements include specific cybersecurity requirements, incident response procedures, and clear notification timelines. These contracts should be regularly reviewed and updated to reflect current threat landscapes.

Third-Party Monitoring: Implement ongoing monitoring and assessment programs for business associates, including regular security audits and penetration testing requirements.

Incident Response Planning: Develop comprehensive incident response plans that specifically address third-party breaches and establish clear communication protocols with business associates.

Data Minimization: Limit the amount of PHI shared with business associates to only what is necessary for their specific functions. Regular data purging schedules should be established and enforced.

Cyber Insurance: Ensure cybersecurity insurance policies adequately cover third-party breaches and business associate incidents, as these are becoming increasingly common attack vectors.

The Select Medical breach serves as a stark reminder that healthcare cybersecurity is only as strong as the weakest link in the chain of business associates and vendors. As cyber threats continue to evolve, healthcare organizations must adopt a comprehensive approach to security that extends beyond their own networks to encompass all parties with access to patient data.

With legal investigations underway and the full scope of the incident still being assessed, this breach will likely serve as another catalyst for stronger cybersecurity requirements in the healthcare industry. Organizations that proactively address these challenges through comprehensive compliance programs and robust vendor management practices will be better positioned to protect patient data and maintain regulatory compliance.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.