657 Healthcare Providers Affected by Ransomware Attack on Professional Finance Company

A major data breach has been reported by the Greeley, CO-based accounts receivable management company, Professional Finance Company Inc. (PFC) which is believed to have affected 657 of its healthcare provider clients.

According to the PFC website, the company is one of the nation’s leading debt recovery agencies, and its client list includes many healthcare providers, retailers, financial organizations, and government agencies. According to the company’s substitute breach notice, a sophisticated ransomware attack was detected and blocked on February 26, 2022; however, not in time to prevent some of its computer systems from being disabled.

Third-party forensics specialists were engaged to investigate the breach and provide assistance with securing its environment. That investigation confirmed that an unauthorized third party had access to systems that contained information about patients of its healthcare provider clients, and files containing patient data were accessed. PFC said it sent notification letters to all affected healthcare provider clients on May 5, 2022, and has since issued notification letters to all affected individuals.

The investigation uncovered no evidence of misuse of patient data, but data theft and misuse could not be ruled out. The types of information potentially accessed in the attack included names, addresses, accounts receivable balances, information regarding payments made to accounts, and, for some individuals, birth dates, Social Security numbers, health insurance information, and medical treatment information.

Please see the HIPAA Journal Privacy Policy

PFC said it is providing complimentary credit monitoring and identity theft protection services to affected individuals. In contrast to several recent data breaches at business associates of HIPAA-covered entities, PFC has published a list of the healthcare providers affected. According to AdvIntel CEO Vitali Kremez, the Quantum ransomware operation was behind the attack.

A previous data breach at a company that provided similar services – American Medical Collection Agency (AMCA) – also resulted in the exposure of data of clients. That breach was the largest to be reported in 2019 and affected 26 million individuals. At least 24 of its clients were affected.

Professional Finance Company has reported the breach to the HHS’ Office for Civil Rights as affecting 1,918,941 individuals; however, some healthcare organizations appear to be reporting the breach separately. For instance, Bayhealth Medical Center in Delaware has self-reported the breach as affecting 17,481 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.