Ransomware attack targets Professional Finance Co.
Up to 2 million patient records could have been accessed nationwide
A ransomware attack against Professional Finance Co. Inc., a Greeley-based accounts-receivable management company, has resulted in a data breach potentially affecting 657 of the company’s health-care-provider clients and almost two million individuals.
The breach, with more than 1.9 million individuals potentially affected, represents the second-biggest data breach affecting health care companies so far in 2022, according to the U.S. Department of Health and Human Services’ Breach Portal. A March attack against Shields Health Care Group Inc. of Massachusetts affected more than 2.4 million individuals.
The Professional Finance breach already has prompted four federal lawsuits accusing the company of failing to exercise reasonable care in securing customer and employee data. The lawsuits were filed in U.S. District Court in Denver and are seeking classaction status.
The ransomware attack occurred Feb. 26, but Professional Finance did not begin informing client health care providers until May 5, according to a Notice of Cybersecurity Incident posted on the company’s website.
“On Feb. 26, 2022, PFC detected and stopped a sophisticated ransomware attack in which an unauthorized third party accessed and disabled some of PFC’S computer systems,” according to the incident report. “PFC immediately engaged third party forensic specialists to assist us with securing the network environment and investigating the extent of any unauthorized activity. Federal law enforcement was also notified.
The ongoing investigation determined that an unauthorized third party accessed files containing certain individuals’ personal information during this incident. PFC notified the respective health care providers on or around May 5, 2022.”
The company issued a press release about the data breach July 1.
PFC said it had “found no evidence that personal information has been specifically misused.” But data potentially accessed by the cyber attacker includes first and last name, address, accounts-receivable balance and information regarding payments made to accounts, according to the company. Additionally, date of birth, Social Security number, health insurance and medical-treatment information were exposed “in some cases,” the company said.
Health care providers affected by the breach include some of the largest hospital and clinic groups operating in the Boulder Valley and Northern Colorado, including Banner Health, Boulder Community Health, Sunrise Community Health and Uchealth, along with numerous dental clinics. A complete list of health care providers affected by the breach can be found here.
Four lawsuits were filed in U.S. District Court in Denver thus far in July, including one filed on behalf of Christopher Schroeder, a resident of Reno, Nevada.
Schroeder’s lawsuit, filed July 18 by Migliaccio "@" Rathod LLP, a law firm in Washington, D.C., “asserts claims for negligence, breach of contract, breach of implied contract, breach of fiduciary duty, declaratory and injunctive relief, and state consumer protection claims.”
“Plaintiff Schroeder and class members have faced and will continue to face a certainly impending and substantial risk of a slew of future harms as a result of defendant’s ineffective data security measures …” according to the lawsuit.
“Some of these harms will include fraudulent charges and/or bank and credit accounts opened in the victims’ names, medical procedures ordered in patients’ names without their permission, and targeted advertising without patient and/or current and former employee consent.
“Some of these harms will not materialize for months, or even years after the data breach incident, rendering defendant’s notice letter woefully inadequate to prevent the fraud that will continue to occur through the misuse of class members’ information.”
The lawsuit also criticized the timing of Professional Finance informing individuals of the breach.
Plaintiff and class members were not notified of the data breach until, at the earliest, July of 2022 — more than five months after their private information was first accessed,” the lawsuit stated.
Professional Finance’s cybersecurity notice said the company has taken steps to prevent future cyber attacks.
“Since the incident, PFC wiped and rebuilt affected systems and has taken steps to bolster its network security,” the company said. “PFC also reviewed and altered its policies, procedures, and network security software relating to the security of systems and servers, as well as how data is stored and managed.”
Professional Finance, which operates as PFC USA, was founded in 1904 as the collections division of the Weld County Credit Bureau. The company has been owned by the Shoop family since the 1950s and is headed by its president, Charlie Shoop. Its headquarters are at 5754 W. 11th St. in Greeley.
Shoop could not immediately be reached for comment.
The lawsuits are:
• Christopher Schroeder, individually and on behalf of all others similarly situated, v. Professional Finance Co., U.S. District Court for Colorado, case no. 22cv-01776.
• Natalie Willingham, on behalf of herself and all others similarly situated, v. Professional Finance Co., U.S. District Court for Colorado, case no. 22-cv-01749.
• Joshua Wheat, on behalf of himself and all others similarly situated, v. Professional Finance Co., U.S. District Court for Colorado, case no. 22-cv-01723.
• Carlos Martinez, on behalf of himself and all others similarly situated, v. Professional Finance Co., U.S. District Court for Colorado, case no. 22-cv-01689.