About 3.9 million patients had data compromised in healthcare data breaches reported to the federal government last month, nearly half of which were attributed to a cyberattack at one payment vendor.
An estimated 1.9 million patients had data exposed in a ransomware attack at Professional Finance Company, according to a report the accounts receivable management company submitted to the Health and Human Services Department’s Office for Civil Rights in July.
PFC discovered the ransomware attack in February after an unauthorized user accessed and disabled some of the company's computer systems. An investigation found hackers may have accessed files containing personal information from patients at about 600 of its healthcare provider customers.
The Greeley, Colorado-based company notified healthcare providers whose patient data may have been exposed in May, and in July said it started mailing letters to patients.
"We are committed to mitigating the chance of a similar, future incident, and have taken specific and robust measures to ensure that our data is more secure than ever before," a PFC spokesperson said in an emailed statement.
The steps include adding artificial-intelligence tools, 24/7 monitoring of its network and contracting with two cybersecurity firms, the spokesperson said.
The incident is the second-largest healthcare data breach reported so far this year, following a cyberattack at Shields Health Care Group that compromised data on an estimated 2 million patients.
Healthcare providers, insurers and their business associates reported 61 data breaches to the Office for Civil Rights in July, which compromised data on a collective 3.9 million patients. More than three-quarters of breaches stemmed from hacking and IT incidents, with the remainder attributed to loss, theft and unauthorized access or disclosure.
