Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs

A February ransomware attack on a medical debt collection company caused a widespread data breach affecting 657 healthcare organizations. 

In a statement issued late last week, Professional Finance Company said that during the attack the ransomware group gained access to databases that held names, addresses, accounts receivable balances, information regarding payments made to accounts, dates of birth, Social Security numbers, and health insurance data and medical treatment information.

Professional Finance Company said it notified the 657 companies in May. 

“On February 26, 2022, PFC detected and stopped a sophisticated ransomware attack, in which an unauthorized third party accessed and disabled some of PFC's computer systems. PFC immediately engaged third party forensic specialists to assist with securing the network environment and investigating the extent of any unauthorized activity,” the company said. 

“Federal law enforcement was also notified. The ongoing investigation determined that an unauthorized third party accessed files containing certain individuals' personal information during this incident.  PFC notified the respective healthcare providers on May 5, 2022. This incident only impacted data on PFC's systems.”

Professional Finance Company has access to so much personal information because of its role as a debt collection firm. Since its founding in 1904, healthcare organizations have sold medical debts to the company once they feel it is too much work to track someone down. 

Healthcare organizations provide the company with information on patients or customers who have not paid, making them an ideal target for hackers. 

AdvIntel CEO Vitali Kremez told BleepingComputer the attack was launched by the Quantum ransomware, which was recently spotlighted by researchers at Symantec for its ties to the new Bumblebee malware loader. 

The DFIR Report released a study in April on Quantum, noting that it was responsible for one of the fastest ransomware cases they have ever observed. The gang was able to encrypt and ransom a network in under four hours.