Data Breach at Professional Finance USA Exposes Patient Records Of 650 Healthcare Providers

Ransomware Attack Could Be One Of 2022’s Biggest Health Care Breaches

A major ransomware attack on a little-known debt collection firm that serves hundreds of hospitals and medical facilities across the U.S. could be one of the biggest data breaches of personal and health information this year.

The Greeley Colorado-based Professional Finance Company, known as PFC, which contracts with “thousands” of organizations to process customer and patient unpaid bills and outstanding balances, disclosed on July 1 that it had been hit by ransomware months earlier in February.

PFC said in its data breach notice that more than 650 healthcare providers are affected by its ransomware attack, adding that the attackers took patient names, addresses, their outstanding balance and information relating to their account. PFC said that in “some cases” dates of birth, Social Security numbers and health insurance and medical treatment information were also taken by the attackers.

In a separate filing with the U.S. Department of Health and Human Services, PFC confirmed that more than 1.91 million patients are affected by the cyber attack.

At least two healthcare organizations listed as affected by PFC have issued their own data breach notifications. Bayhealth Medical Center in Delaware said 17,481 patients were affected by the PFC breach, while Coleman County Medical Center in Texas disclosed the breach to 1,159 patients.

The attack on PFC is second only in size to a March 2022 data breach at Shields Health Care Group, a medical imaging company with facilities across New England, affecting an estimated two million patients.

Class Action Lawsuits Filed

Numerous class actions are now being filed across the Unites States on behalf of individuals who, through no fault of their own, are now at permanent risk of identity theft.

Despite learning of the breach in February 2022, PFC waited until May 5th to begin notifying affected healthcare providers of the theft. PFC waited until July, almost two months later, before it began sending notifications to affected individuals (patients). Delaware’s Bayhealth Medical Center and Texas’ Coleman County Medical Center, which are both connected to PFC, have since issued their own data breach notifications in the wake of the PFC data breach.

PFC said it is providing complimentary credit monitoring and identity theft protection services to affected individuals.



Leave a Reply

Your email address will not be published. Required fields are marked *