More details emerge on Professional Finance Company ransomware incident, but questions remain
A ransomware attack on Professional Finance Company (PFC) has some of us who track breaches in the healthcare sector wondering how large this breach will be. The last time we saw a big breach involving a collection agency was in 2019. The American Medical Collection Agency filed for bankruptcy pretty quickly and the total number of people affected exceeded 20 million. Will the PFC breach be as large?
Past coverage of the AMCA incident linked from here.
PFC is an accounts receivable management / collections firm, servicing clients in the healthcare sector as well as other types of entities. On May 5, they reportedly notified more than 650 clients who are HIPAA-covered entities of a ransomware attack that they detected on February 26. A list of the 657 covered entities whom they notified can be found here.
It was not clear from their notification of July 1 whether PFC would be notifying affected patients or if the covered entities would be sending notifications. It might be some of each. So far, DataBreaches has spotted only a few reports from PFC clients. Summit Healthcare Association notified HHS on May 11 that 1,403 of their patients were impacted, while Bayhealth Medical Center in Delaware notified HHS on June 30 that 17,481 patients were impacted.
Today, Vitali Kremez, CEO of AdvIntel, told DataBreaches that on February 23, AdvIntel’s Andariel platform detected an attack on PFC based on Cobalt Strike collections and alerted PFC’s infosec employees. Kremez described the attackers as being connected to Conti. In a statement to Bleeping Computer, Kremez identified the attackers more specifically as being linked to a Conti/Quantum subgroup. AdvIntel also detected data being exfiltrated via command-line tools.
But how much protected health information was exfiltrated? PFC’s disclosure uses the standard language of “it is possible that” or “may have been.” The bottom line, from DataBreaches’ perspective, is that data was exfiltrated, and there’s no reason to believe, based on PFC’s statement, that the attackers didn’t exfiltrate a lot of protected health information that covered entities would provide to PFC to enable accounts receivable activities. Attempts to bill for medical services or to collect on past due statements often involve a patient’s first and last name, address, balance due, information regarding payments made to accounts, and, in some cases, date of birth, social security number, and health insurance and medical treatment information.
DataBreaches sent an email inquiry to PFC today asking about exfiltrated protected health information data and any ransom demands. No reply has been received as yet.
At least one class-action lawsuit against PFC has already been filed in response to this breach, and it’s almost axiomatic that more are likely to follow. It would seem important to find out, if possible, how much patient data the attackers were able to exfiltrate and what they may have done with it.
Update July 13: PFC reported this incident to HHS as impacting 1,918,941 patients. DataBreaches has reached out to PFC to ask if that was for all of PFC’s clients/covered entities or just on behalf of some of them. As noted above, some entities had already filed their own reports with HHS, and more have since this post was originally published.
This post will be further updated when a reply is received from PFC.