Over 1.9m people impacted in one of this year’s biggest medical data breaches

Updated on: 14 July 2022

Anna Zhadan
Contributor

Professional Finance Company (PFC,) a debt collector firm working with US healthcare groups and clinics, suffered a massive ransomware attack, which has impacted over 1.9 million people and more than 650 healthcare providers.

In a data breach notice, PFC discloses an incident that took place on February 26, 2022, when it “detected and stopped a sophisticated ransomware attack.” Threat actors managed to access and disable some of PFC’s computer systems containing individuals’ personal information from over 650 healthcare providers.

With more than 1.9 million people affected, this is one of the biggest health data breaches of this year.

PFC notified the affected entities on or around May 5, 2022, with the full list of companies published separately. Potentially involved individuals are also receiving letters about the incident.

While there is no evidence so far that personal information has been misused, the following data was accessible to attackers: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, Social Security number, and health insurance and medical treatment information.

All impacted individuals should be on alert for phishing, identity theft, and fraud by reviewing their financial account statements and monitoring free credit reports.

“PFC also reviewed and altered its policies, procedures, and network security software relating to the security of systems and servers, as well as how data is stored and managed,” the company said.

In 2019, another debt collector, American Medical Collection Agency, suffered a similar incident, with over 20 million patient records and a few hundred thousand payment card details stolen. AMCA subsequently declared bankruptcy.