Professional Finance Company Inc., (PFC) one of the largest accounts receivable management agencies in the United States, has announced that it was the victim of a ransomware attack in February 2022. While the intrusion was detected promptly and was blocked on February 26, 2022, the forensic investigation confirmed that the attackers accessed files on its network, which included the personal information of individuals that had been provided to PFC by its clients. PFC issued a statement confirming that, at the time of issuing notifications to affected individuals, no reports had been received of any actual or attempted misuse of client data; however, the possibility of data theft and future misuse of that information could not be ruled out.
PFC provides debt collection services and is one of the leading companies that helps U.S. healthcare providers recover unpaid medical bills. PFC also has many clients in retail, financial services, and government. Concerning the healthcare provider clients, the U.S. Health Insurance Portability and Accountability Act (HIPAA), which covers healthcare providers and business associates of those entities that are provided with individuals’ protected health information (PHI), requires notifications to be issued in the event of a data breach involving PHI.
PFC said that notifications were sent to each affected healthcare provider client on May 5, 2022, and notification letters have now been sent to individuals affected by the data breach. PFC has also confirmed that 657 of its healthcare provider clients have been affected. The types of information breached included the data sent to PFC to facilitate debt collection, such as names, addresses, birth dates, accounts receivable balance and payments information, Social Security numbers, and health insurance and medical treatment information.
PFC has not publicly disclosed how many individuals have been affected, but considering the number of healthcare providers affected, this has the potential to be a major data breach. PFC said affected individuals have been offered complimentary credit monitoring and identity theft protection services.
Cyberattacks on business associates of HIPAA-covered entities have the potential to affect many healthcare organizations. A cyberattack and data breach at American Medical Collection Agency in 2019 affected many of its healthcare provider clients, the majority of which were clinical laboratories. That breach resulted in the exposure of the PHI of more than 26 million individuals and was the largest healthcare data breach reported in 2019.