3rd Party Risk Management
Fraud Management & Cybercrime
Governance & Risk Management
Accounts Receivables Firm Incident Affected Patients of Many Entities
A ransomware attack on an accounts receivables management firm affects more than 650 covered entity clients – including dental practices, physician groups and hospitals, resulting in one of the largest health data breaches involving a vendor so far this year.
Greeley, Colorado-based Professional Finance Company in a statement dated Friday says that on Feb. 26 it “detected and stopped a sophisticated ransomware attack” involving an unauthorized third party accessing and disabling some of the firm’s computer systems.
While PFC says the incident only affected data on the company’s systems, the vendor released a long list of about 660 healthcare entity clients that were affected. Those entities were notified by PFC about the incident on May 5, the company’s statement says.
PFC is the latest – if not potentially the largest – of several critical vendors servicing the healthcare sector to disclose major hacking incidents in recent weeks and months affecting dozens of covered entity clients and collectively millions of their patients.
Cybercriminals have clearly caught on that large business associates are swimming in sensitive personal data, making them attractive targets for hacking.
Business associates are a “one-stop shop for many records that can be monetized,” says Michael Hamilton, CISO of security firm Critical Insight.
“An important lesson here is that if you are an organization that services the health sector, you are at increased risk even though you don’t directly deliver healthcare services,” says Hamilton, also a former CISO of the city of Seattle.
Recent data breaches at crucial business associates demonstrate the staggering number of patients at risk of identity theft from a single incident, says regulatory attorney Paul Hales of the Hales Law Group.
“Crafty criminals aggressively exploit any weak link they can find,” he says.
According to the HHS Office of Inspector General, medical identity theft is among the fastest-growing forms of identity theft in the U.S., Hales says.
“Only two things are required – the identity of a patient and the identity of a provider. Both pieces of information appear to have been disclosed in the PFC breach,” he says.
PFC Breach Details
Professional Finance Company says an ongoing investigation found that files containing individuals’ personal information were accessed in the ransomware incident. That includes names, addresses, accounts receivable balance and information regarding payments made to accounts. In some cases, affected information also includes date of birth, Social Security number, and health insurance and medical treatment information.
Affected individuals are being offered complimentary identity and credit monitoring. So far, the investigation had not found evidence that any affected information has been misused, the company says.
PFC in a statement to Information Security Media Group says the company is taking steps to prevent a similar future security incident.
“We have made significant investments to advance our security posture, including adding AI threat protection and contracting with two leading cybersecurity firms,” PFC says. “We have strengthened our policies, procedures, and network security software, and revised how we store and manage data. Additionally, since the incident, our network environment has been under 24/7 monitoring by cybersecurity experts to mitigate the chance of a future incident.”
PFC declined Information Security Media Group’s request for additional details about the incident, including the approximate number of individuals affected, whether data was exfiltrated, and the type of ransomware involved.
The disclosure by PFC of its ransomware breach comes on the heels of several other recently reported large hacking incidents involving critical vendors in the healthcare sector.
They include a 2020 hacking incident reported in June by Seattle, Washington-based MCG Health LLP, a HIPAA business associate that provides clinical guidelines to healthcare providers and health plans. The company reported the incident to Maine’s attorney general as affecting 1.1 million individuals but told the Department of Health and Human Services it was a HIPAA breach affecting about 800,000 individuals.
Also, Eye Care Leaders, a vendor of cloud-based electronic medical records reported in March a hacking incident affecting a growing list of vision care practices and similar covered entity clients and at least 2 million individuals so far (see: 2 Vendors at Center of Breaches Affecting 3 Million).
The PFC incident should spur all business associates to review their HIPAA compliance programs thoroughly, including an updated security risk analysis to ensure they have appropriate measures in place to manage their specific risks, Hales says.
Covered entities should immediately review or perform due diligence with all business associates to ensure the compliance of their vendors, he adds.
“HIPAA requires every covered entity to have ‘satisfactory assurance’ the business associate will appropriately safeguard PHI. That means due diligence. … Entrusting PHI to a business associate without due diligence is ‘willful neglect’ with exposure to the highest civil money penalty amounts,” he says
Also, business associates should conduct due diligence with their subcontractors. “One chink in the armor is all a criminal needs,” Hales says.