Skip links

1.9m patient records exposed in healthcare debt collector ransomware attack

Professional Finance Company, a Colorado-based debt collector whose customers include hundreds of US hospitals, medical clinics, and dental groups, recently disclosed that more than 1.9 million people’s private data – including names, addresses, social security numbers and health records – was exposed during a ransomware infection.

In a notice [PDF] posted on its website, PFC said it “detected and stopped a sophisticated ransomware attack” on February 26 this year, during which criminals accessed files containing data from more than 650 healthcare providers [PDF]. The company said it notified the affected medical centers around May 5, and is mailing letters to individuals whose data may have been stolen during the intrusion. 

According to the US Department of Health and Human Services, more than 1.9 million individuals were affected in the security breach, which could make it one of — if not the — biggest American medical info data breaches of the year.

For comparison: in a 2019 breach of American Medical Collection Agency, which provided similar debt collection services to PFC, crooks stole more than 20 million patient records including several hundred thousand payment card details. Shortly after, the agency declared bankruptcy.

And in 2017 health insurer Anthem agreed to pay $115 million to settle a class-action suit brought on by its 2015 cyber-theft of 78.8 million records.

Here’s an excerpt from PFC’s ransomware notice:

The company will also offer free credit monitoring and identity theft protection services through Cyberscout for affected individuals.

After detecting the attack, the debt collection firm said it “immediately” hired third-party forensic specialists to secure its network and notified federal law enforcement. As stated, PFC claims it found no evidence of personal information being misused – well, other than it being stolen – and maintains that data security is one of its “highest priorities.”

“Since the incident, PFC wiped and rebuilt affected systems and has taken steps to bolster its network security,” the ransomware notice said. PFC also noted that it updated its security and data storage policies.

The company did not answer any of The Register‘s questions about the ransomware infection — including how much money the crooks demanded, whether PFC paid the ransom, why it took so long to notify affected medical centers and patients, and if the stolen files were encrypted prior to the attack. 

Instead, PFC’s General Counsel Nicholas Prola emailed a canned statement that repeated much of the company’s breach alert posted on its website. Prola did, however, include additional information about what steps the debt collection firm took to improve its security posture after the attack.

This includes “adding AI threat protection and contracting with two leading cybersecurity firms,” Prola wrote. “Additionally, since the incident, our network environment has been under 24/7 monitoring by cybersecurity experts to mitigate the chance of a future incident.”

Meanwhile, in other ransomware news…

The news about the PFC ransomware attack comes as the Institute for Security and Technology’s Ransomware Task Force released data documenting more than 4,000 attacks last year targeting organizations across all industries in 109 countries. 

The criminals include more than 60 ransomware “families,” according to the public-private task force, and almost half of the victims were US-based organizations. 

A year ago the group published an 81-page report presenting policy makers with 48 recommendations to disrupt the ransomware business and mitigate the effect of such attacks. ®