Professional Finance Company, a Greely, Colorado-based accounts receivable management company has announced that they experienced a ransomware attack in February 2022. The payment vendor provides assistance to a multitude of entities including 600 healthcare organizations.
On February 26, 2022, Professional Finance Company discovered an unauthorized third party had gained access and disabled parts of the payment vendor’s systems. The company then promptly launched a forensic investigation with the help of third party forensic cybersecurity experts to secure their systems and to determine the scope of the suspicious activity. The investigation concluded that an unauthorized third party had accessed files on their network containing sensitive patient information. Professional Finance Company could not find any evidence indicating misuse of patient information. However, the payment company does state that there is a possibility the hackers had obtained information such as names, address, birth dates, Social Security numbers, health insurance, medical treatment information, accounts receivable balance, and information relating to payments made to accounts. Law enforcement was notified and on May 5, 2022, Professional Finance Company informed all of its healthcare clients of the incident.
The incident is believed to have affected 657 of the company’s healthcare clients. These include Colorado Spine Institute, Dental Care in San Antonio, Duck Creek Family Dental, Lackey Memorial Hospital, Louisville Dermatology, Oklahoma City Dental, University Physicians Inc., Banner Health, Lifestance Health, Renown Health, DispatchHealth, and White Mountain Regional Medical Center among others. Professional Finance Company has notified all potentially affected individuals via a breach notification letter. In the letter, affected individuals are advised a number of mitigations to help reduce the threat of the attack. In addition, Professional Finance Company is offering credit monitoring and identity theft protection services free of charge to all affected individuals.
The number of individuals who have been impacted by the data breach is unknown as it has not yet been reported to the Department of Health and Human Services’ Office for Civil Rights data breach portal. Professional Finance Company has apologized for any inconvenience caused by the incident. “Data security is one of PFC’s highest priorities. Since the incident, PFC wiped and rebuilt affected systems and has taken steps to bolster its network security.”