by peter

Share

Professional Finance Company is a US based debt collection firm with customers that include hospitals, medical clinics, and dental groups. They recently disclosed that more than 1.9 million people’s private data including names, addresses, social security numbers and health records were exposed following a ransomware infection.

In a notice posted on their website, PFC said it “detected and stopped a sophisticated ransomware attack” on February 26 this year, during which criminals accessed files containing data from more than 650 healthcare providers. The company said it notified the affected medical centers around May 5, and is mailing letters to individuals whose data may have been stolen during the intrusion. PFC have opened themselves up to massive legal action over the delay in notification. Waiting just over 2 months is extremely negligent and a breach of pretty much all reporting laws.

According to PFC, they found no evidence that personal information has been specifically misused. But then that needs to be taken with a pinch of salt. The majority of criminals will sit on the data for at least six months prior to using it. PFC did confirm that first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, Social Security number, and health insurance and medical treatment information was leaked.

After detecting the attack, PFC said it “immediately” hired third-party forensic specialists to secure its network and notified law enforcement. As stated, PFC claims it found no evidence of personal information being misused and maintains that data security is one of its “highest priorities.”

PFC have “adding AI threat protection and contracting with two leading cybersecurity firms,” according to their notices. So they have brought a DarkTrace appliance then. “Additionally, since the incident, our network environment has been under 24/7 monitoring by cybersecurity experts to mitigate the chance of a future incident.”

Peter’s Opinion

PFC are keeping a lot of information very very secret and are exhibiting all of the traits of a firm caught with their pants down. On the face of it, it does look a lot like they had no plan in place to deal with an event like this.

From what is known, it would appear that PFC had no actual security in place beyond what they know about running a call centre. It is obvious from their statements that they have no security team, or a very small and unfunded team. There was clearly no monitoring in place to detect and alert to threats and attacks and it would seem that they likely had no viable end point protection.

They are certainly going to have pain in the near future. The delays in notification is very likely going to lead to multiple cases of legal action. Regulators are going to be looking very closely at how a large debt collection firm can get their security so very wrong. And I would be surprised if all of their medical clients dont move to another service provider.

Sadly this is just another example of corporate negligence around security and information handling.