Debt Collection Agency Confirms 4.25 Million Individuals Affected by February 2024 Cyberattack
The debt collection agency Financial Business and Consumer Solutions (FBCS) has recently notified the Maine Attorney General that a previously reported breach that was initially reported as affecting 1,955,385 individuals is more than twice as bad. In the fifth report filed with the Maine Attorney General, FBCS has confirmed that 4,050,711 individuals are known to have been affected, including 7, 786 Maine residents. The total continues to increase, as the latest update in late July indicates 4,253,394 individuals have been affected, including 7,841 Maine residents.
The data breach occurred on February 14, 2024, and was discovered a couple of weeks later on February 26, 2024. The forensic investigation by third-party cybersecurity specialists confirmed that the breach was confined to FBCS systems, the hackers had access to those systems for almost 2 weeks, and during that time they may have viewed or acquired files containing sensitive information.
FBCS first notified the Maine Attorney General about the breach on April 26, 2024; however, the investigation had not concluded. As the investigation progressed, that number has steadily risen. The notification to the Maine Attorney General does not state whether the investigation has been completed so further supplemental breach notices may be issued.
FBCS provides services to clients in multiple sectors and helps to recover consumer credit, auto loans and leases, student loans, utility bills, and unpaid medical bills. In early June, FBCS notified the HHS’ Office for Civil Rights that 209,227 individuals had been affected. Since that date, a further three supplemental notifications have been issued to the Maine Attorney General, and it is currently unclear whether the latest notification is the last or if any more protected health information has been compromised.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Data compromised in the incident include names, Social Security numbers, driver’s license numbers, and non-driver’s license identification card numbers bank account information, medical information, and dates of birth. FBCS said it is unaware of the misuse of any of that information; however, as a precaution, complimentary credit monitoring and identity restoration services have been made available.
Several debt collection agencies have fallen victim to cyberattacks that have resulted in data theft, but even at more than 4.25 million records, this is not the largest debt collection agency data breach. That unwanted record goes to American Medical Collection Agency, which suffered a cyberattack in 2021 that exposed the data of more than 24 million individuals.
July 29, 2024: This article was updated following another supplemental breach notice to the Maine Attorney General.
