Professional Finance Company, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Professional Finance Company Data Breach Overview

The Professional Finance Company, Inc. (PFC), based in Greeley, Colorado, experienced a significant data breach due to a ransomware attack that was first detected on February 26, 2022. The breach affected 657 healthcare providers and potentially exposed the personal information of 1.9 million patients[1][2][3][4][6].

Details of the Breach

The ransomware attack allowed unauthorized access to PFC’s computer systems, leading to the disabling of some systems and the potential access to sensitive patient data. The types of information that could have been accessed include:

  • Names

  • Addresses

  • Accounts receivable balances
  • Payment information
  • Dates of birth (in some cases)
  • Social Security numbers (in some cases)
  • Health insurance information (in some cases)
  • Medical treatment information (in some cases)[1][2][3][4][6]

Company Response

PFC responded to the incident by engaging third-party forensic specialists to secure the network and investigate the extent of the breach. They also notified federal law enforcement. PFC began notifying the affected healthcare providers on May 5, 2022, and has since been sending out notification letters to potentially involved individuals. The company is offering free credit monitoring and identity theft protection services through Cyberscout to those affected[2][6][7].

Post-Incident Actions

Following the attack, PFC took several steps to improve its cybersecurity posture, including:

  • Wiping and rebuilding affected systems

  • Bolstering network security

  • Reviewing and altering policies, procedures, and network security software related to the security of systems and servers, as well as data storage and management[3][5][7].

Legal and Regulatory Implications

The breach has prompted four federal lawsuits accusing PFC of failing to exercise reasonable care in protecting sensitive information. PFC has reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights, which oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA)[5].

Recommendations for Affected Individuals

PFC and various sources recommend that affected individuals remain vigilant by:

  • Reviewing financial account statements

  • Monitoring credit reports

  • Reporting any suspicious activity to the relevant institutions and law enforcement[7].

Conclusion

The PFC data breach is one of the largest healthcare-related cybersecurity incidents of 2022. It highlights the importance of robust cybersecurity measures and the potential consequences of data breaches, including legal action and the need for heightened vigilance against identity theft and fraud.

Citations:

  1. https://www.hipaajournal.com/657-healthcare-providers-affected-by-ransomware-attack-on-professional-finance-company/
  2. https://www.databreaches.net/professional-finance-company-inc-is-providing-breach-notifications-to-patients-of-663-covered-entities/
  3. https://www.cpomagazine.com/cyber-security/quantum-ransomware-attack-on-finance-company-impacts-657-healthcare-organizations-and-millions-of-patients/
  4. https://techcrunch.com/2022/07/13/pfc-ransomware-healthcare/
  5. https://www.dailycamera.com/2022/07/20/ransomware-attack-targets-professional-finance-co-affecting-657-health-care-clients/
  6. https://www.cnet.com/news/privacy/ransomware-attack-leaves-1-9-million-patient-records-exposed/
  7. https://www.prnewswire.com/news-releases/pfc-usa-provides-notice-of-data-security-incident-301579798.html
  8. https://www.thelyonfirm.com/blog/professional-finance-company-pfc-data-breach/
  9. https://healthitsecurity.com/news/vendor-ransomware-attack-impacts-660-healthcare-organizations
  10. https://classlawdc.com/2022/07/06/professional-finance-company-data-breach-investigation/
Breach Submission Date Jul 01, 2022
Converted Entity Name Professional Finance Company, Inc.
Converted Entity Type Business Associate
State CO
Individuals Affected 1,918,941
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes