657 Healthcare Providers Affected by Ransomware Attack on

A major data breach has been reported by the Greeley, CO-based accounts receivable management company, Professional Finance Company Inc. (PFC) which is believed to have affected 657 of its healthcare provider clients.

According to the PFC website, the company is one of the nation’s leading debt recovery agencies, and its client list includes many healthcare providers, retailers, financial organizations, and government agencies. According to the company’s substitute breach notice, a sophisticated ransomware attack was detected and blocked on February 26, 2022; however, not in time to prevent some of its computer systems from being disabled.

Third-party forensics specialists were engaged to investigate the breach and provide assistance with securing its environment. That investigation confirmed that an unauthorized third party had access to systems that contained information about patients of its healthcare provider clients, and files containing patient data were accessed. PFC said it sent notification letters to all affected healthcare provider clients on May 5, 2022, and has since issued notification letters to all affected individuals.

The investigation uncovered no evidence of misuse of patient data, but data theft and misuse could not be ruled out. The types of information potentially accessed in the attack included names, addresses, accounts receivable balances, information regarding payments made to accounts, and, for some individuals, birth dates, Social Security numbers, health insurance information, and medical treatment information.

PFC said it is providing complimentary credit monitoring and identity theft protection services to affected individuals. In contrast to several recent data breaches at business associates of HIPAA-covered entities, PFC has published a list of the healthcare providers affected.

The incident has yet to appear on the HHS’ Office for Civil Rights website, so it is unclear how many patients have been affected by the breach, but with 657 healthcare providers affected, this has the potential to be one of the largest healthcare data breaches to be reported this year. A previous data breach at a company that provided similar services – American Medical Collection Agency (AMCA) – also resulted in the exposure of data of clients. That breach was the largest to be reported in 2019 and affected 26 million individuals. At least 24 of its clients were affected.

Bayhealth Medical Center in Delaware is one of the first healthcare provider clients to confirm it has been affected by the PFC breach and has reported the data breach to the Office for Civil Rights as affecting 17,481 individuals.