Earlier this year, the debt-collection company Professional Finance Company, Inc. (“PFC”) reported a data breach. At the time the company reported the breach, it was unaware of the scope of the incident; however, based on recently released information, the PFC data breach impacted 657 healthcare providers across the United States. While the exact number of patients who were affected by the breach remains unknown, this could be the largest healthcare data breach of the year. According to the PFC, the breach resulted in the first and last names, addresses, dates of birth, Social Security numbers, health insurance information and medical treatment information being compromised. On May 5, 2022, PFC filed initial notice of the breach and sent out data breach letters to all affected parties. Since then, the company learned that the breach was larger in scope than originally thought and sent data breach letters to additional patients.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Professional Finance Company data breach, please see our recent piece on the topic here.
The Background of the Professional Finance Company Data Breach
Grasping the magnitude of the Professional Finance Company requires an understanding of what the company does and why it has the potential to impact so many people. PFC is a debt collection company that works with other organizations to recover their accounts receivable. For example, once a healthcare provider determines that it is no longer in its interest to keep trying to collect a debt, it sells the debt to PCF. To facilitate PFC’s ability to collect on amounts owed, providers give PFC information about patients. This is how PFC came into possession of the information that was subject of the breach.
According to an official notice filed by the company, PFC “detected and stopped” a sophisticated ransomware attack occurring in February 2022. PFC reports that, as a result of the attack, the company’s computer system was disabled, and the unauthorized party orchestrating the attack was able to view patient data. In response, PFC retained cybersecurity experts to investigate the incident. This investigation revealed that an unauthorized third party accessed files containing certain individuals’ personal information during this incident, including patients’ first and last names, addresses, dates of birth, Social Security numbers, health insurance information and medical treatment information.
On May 5, 2022, Professional Finance Company began sending out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. However, more recently, the company provided updated letters to everyone impacted by the incident.
Professional Finance Company also provides a list of all affected healthcare practices, which include more than 650 providers across the country. A link to all affected providers can be found here.
More Information About Professional Finance Company, Inc.
Professional Finance Company is a debt collection company based in Greeley, Colorado. The company works with other organizations to recover their accounts receivable through various means. Professional Finance Company has various subsidiaries, including PFC Infuse, which acquires, manages, and liquidates portfolios of defaulted receivables from companies. Other subsidiaries include PFC First, PFC USA and PFC Rev. Professional Finance Company has more than 126 employees working for the company and brings in approximately $15 million in annual revenue.
Who Is Responsible for a Data Breach at a Third-Party Company?
There are a few different types of data breaches. In most cases, the company that leaks consumer data is also the company that received the data directly from the consumer. For example, let’s say you give your information to a bank when you apply for a loan. If a hacker breaches the bank’s data security system and obtains your data, this is known as a first-party breach.
However, recently, there has been an increased number of third-party data breaches. A third-party data breach occurs when the company that was targeted in a cyberattack is not the same company that the consumer gave their information to. To use the Professional Finance Company data breach as an example, patients never gave their information to the company, and it is only through their healthcare provider that PFC came into possession of the information. In fact, most patients who were victims of the PFC breach may not have ever heard of the company.
When it comes to determining which company is responsible for a third-party data breach, the fact that a consumer never actually provided their information to the breached company doesn’t impact the analysis. In other words, the question is the same in either case: was the targeted company negligent in how it maintained and stored consumer data? If so, then the company may be liable.
In certain situations, the company that provided the third party with consumer data (in this case, the medical providers) can also be liable. However, this would require that a patient prove that their medical care provider negligently entrusted PFC with their information.
Third-party data breaches are extraordinarily complex. However, they are also becoming more and more common. Thus, it is important that anyone who has questions about their rights reach out to an experienced data breach lawyer for assistance.