Debt collection firms seldom market themselves to the general public so it’s everything but surprising that we never heard of them.
Nevertheless, the Colorado-based Professional Finance Company (PFC) serves hundreds of hospitals and medical facilities across the U.S. and it has fallen victim to a ransomware attack that could easily be one of the biggest data breaches of personal and health information this year.
On July 1st, PFC disclosed that it had been hit by ransomware months earlier in February. In a notice, the company said that more than 650 healthcare providers are affected by the attack, adding that hackers took patient names, addresses, their outstanding balance and information relating to their account. Also, in some cases, dates of birth, Social Security numbers and health insurance and medical treatment information were also taken by the attackers.
In a separate filing with the U.S. Department of Health and Human Services, PFC confirmed that more than 1.91 million patients are affected by the attack.
Of the healthcare organizations that were affected, at least two have issued their own data breach notifications – Bayhealth Medical Center in Delaware and Coleman County Medical Center in Texas. The former said 17,481 patients were affected, while the latter disclosed the breach to 1,159 patients.
Needless to say, PFC was num on questions from the media, though we’re sure everyone would like to know why it took them four months to notify affected healthcare providers and whether the stolen data was encrypted.
The attack on PFC is second only in size to a March 2022 data breach at Shields Health Care Group, a medical imaging company with facilities across New England. At that time, about 2 million patient records were affected.
Because of their vast databases, debt collection agencies are emerging as attractive targets for hackers. Previously, AMCA — a medical debt collector contracted with laboratory testing giants LabCorp and Quest Diagnostics — was hit by a data breach. Following that breach, AMCA filed for bankruptcy.
Again, as an end user, you can do little when a major organization is hacked. Simply put, these sorts of things are outside of your (our) control. What we can do is to be careful what we’re doing on the Internet so that we don’t end up as victims to phishing and other kinds of attacks. To that end, you should use an antivirus and a good VPN. And you know where to find the latter, right?