Professional Finance Company, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Professional Finance Company Data Breach Overview
The Professional Finance Company, Inc. (PFC), based in Greeley, Colorado, experienced a significant data breach due to a ransomware attack that was first detected on February 26, 2022. The breach affected 657 healthcare providers and potentially exposed the personal information of 1.9 million patients[1][2][3][4][6].
Details of the Breach
The ransomware attack allowed unauthorized access to PFC’s computer systems, leading to the disabling of some systems and the potential access to sensitive patient data. The types of information that could have been accessed include:
-
Names
-
Addresses
- Accounts receivable balances
- Payment information
- Dates of birth (in some cases)
- Social Security numbers (in some cases)
- Health insurance information (in some cases)
- Medical treatment information (in some cases)[1][2][3][4][6]
Company Response
PFC responded to the incident by engaging third-party forensic specialists to secure the network and investigate the extent of the breach. They also notified federal law enforcement. PFC began notifying the affected healthcare providers on May 5, 2022, and has since been sending out notification letters to potentially involved individuals. The company is offering free credit monitoring and identity theft protection services through Cyberscout to those affected[2][6][7].
Post-Incident Actions
Following the attack, PFC took several steps to improve its cybersecurity posture, including:
-
Wiping and rebuilding affected systems
-
Bolstering network security
- Reviewing and altering policies, procedures, and network security software related to the security of systems and servers, as well as data storage and management[3][5][7].
Legal and Regulatory Implications
The breach has prompted four federal lawsuits accusing PFC of failing to exercise reasonable care in protecting sensitive information. PFC has reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights, which oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA)[5].
Recommendations for Affected Individuals
PFC and various sources recommend that affected individuals remain vigilant by:
-
Reviewing financial account statements
-
Monitoring credit reports
- Reporting any suspicious activity to the relevant institutions and law enforcement[7].
Conclusion
The PFC data breach is one of the largest healthcare-related cybersecurity incidents of 2022. It highlights the importance of robust cybersecurity measures and the potential consequences of data breaches, including legal action and the need for heightened vigilance against identity theft and fraud.
Citations:
- https://www.hipaajournal.com/657-healthcare-providers-affected-by-ransomware-attack-on-professional-finance-company/
- https://www.databreaches.net/professional-finance-company-inc-is-providing-breach-notifications-to-patients-of-663-covered-entities/
- https://www.cpomagazine.com/cyber-security/quantum-ransomware-attack-on-finance-company-impacts-657-healthcare-organizations-and-millions-of-patients/
- https://techcrunch.com/2022/07/13/pfc-ransomware-healthcare/
- https://www.dailycamera.com/2022/07/20/ransomware-attack-targets-professional-finance-co-affecting-657-health-care-clients/
- https://www.cnet.com/news/privacy/ransomware-attack-leaves-1-9-million-patient-records-exposed/
- https://www.prnewswire.com/news-releases/pfc-usa-provides-notice-of-data-security-incident-301579798.html
- https://www.thelyonfirm.com/blog/professional-finance-company-pfc-data-breach/
- https://healthitsecurity.com/news/vendor-ransomware-attack-impacts-660-healthcare-organizations
- https://classlawdc.com/2022/07/06/professional-finance-company-data-breach-investigation/