657 Healthcare Organizations Affected by Ransomware Attack on Professional Finance Company

Professional Finance Company Inc. (PFC) based in Greeley, CO is an accounts receivable management company that reported a major data breach, which potentially affected 657 of its healthcare provider clients.

Based on the PFC website, the company is one of the top debt recovery organizations in the country, and its customer list consists of a lot of healthcare providers, merchants, financial companies, and government organizations. As per the company’s substitute breach notification, a sophisticated ransomware attack had been identified and blocked on February 26, 2022; nevertheless, not quick enough to stop the disabling of a few of its computer systems.

Third-party forensics professionals were involved to investigate the breach and offer help with securing its environment. Based on the investigation, an unauthorized third party got access to systems and files that had information about patients of its healthcare organization clients. PFC stated that it dispatched breach notification letters to all impacted healthcare company clients on May 5, 2022. Since then, all affected individuals had received breach notification letters.

The investigation found no evidence of misuse of patient data, nevertheless, data theft and improper use could not be eliminated. The types of data possibly accessed in the attack comprised: names, addresses, accounts receivable balances, data concerning payments made to accounts, and, for a number of persons, Social Security numbers, birth dates, health insurance details, and medical treatment data.

PFC stated it is giving complimentary identity theft protection and credit monitoring services to impacted persons. Unlike a number of recent data breaches that occurred at business associates of HIPAA-covered entities, PFC has released a listing of the healthcare companies affected.

The incident is not yet posted on the HHS’ Office for Civil Rights web portal, therefore, the number of individuals impacted by the breach is uncertain. However, with 657 healthcare organizations affected, it is likely that this is one of the biggest healthcare data breaches to be reported this year.