A ransomware attack at Professional Finance Company may have exposed data from patients at about 600 healthcare providers.
Greeley, Colorado-based PFC, an accounts receivable management company, discovered the ransomware attack in February, after an unauthorized user accessed and disabled some of the company's computer systems. PFC disconnected the affected systems and has worked with third-party forensic specialists to investigate the incident and secure its network, according to a notice from the company.
PFC's investigation found that during the ransomware attack, hackers may have accessed files containing some patients' personal information. The company notified healthcare providers whose patient data may have been exposed May 5, and last week began mailing letters to patients.
The ransomware attack hit company systems that held data from facilities at DispatchHealth, Banner Health, Renown Health and multiple other provider customers.
A company spokesperson declined a request for comment on the number of affected patients and whether the company paid a ransom.
PFC said it hasn't found evidence to suggest patient data has been misused by hackers, but it's possible information including names, addresses, accounts receivable balance, dates of birth, Social Security numbers and health insurance and medical treatment information could have been accessed by hackers.
PFC has "wiped and rebuilt affected systems" since the ransomware attack, among other steps to improve its network security, according to the notice.
"We are committed to mitigating the chance of a similar, future incident, and have taken specific and robust measures to ensure that our data is more secure than ever before," a company spokesperson wrote in an emailed statement. "We have made significant investments to advance our security posture, including adding AI threat protection and contracting with two leading cybersecurity firms."
Healthcare entities covered by the Health Insurance Portability and Accountability Act are required to disclose data breaches to the Health and Human Services Department's Office for Civil Rights within 60 days of discovering them. The incident has not been posted to the department's breach portal.
Healthcare providers, insurers and their business associates have submitted nearly 330 data breach reports in 2022, according to the Office for Civil Rights' breach portal. The largest data breach reported this year took place at Shields Health Care Group, where a cyberattack in March compromised data on an estimated 2 million patients.