Professional Finance Company (PFC), an accounts receivable management company that aids various organizations—including healthcare providers—is notifying individuals whose information may have been involved in a recent ransomware attack.

On Feb. 26, 2022, PFC detected and stopped a sophisticated ransomware attack, in which an unauthorized third party accessed and disabled some of PFC’s computer systems. PFC immediately engaged third party forensic specialists to assist with securing the network environment and investigating the extent of any unauthorized activity. Federal law enforcement was also notified.

The ongoing investigation determined that an unauthorized third party accessed files containing certain individuals’ personal information during this incident.  PFC notified the respective healthcare providers on May 5, 2022. This incident only impacted data on PFC’s systems. 

PFC found no evidence that personal information has been specifically misused; however, it is possible that the following information could have been accessed by an unauthorized third party: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, social security number, and health insurance and medical treatment information.

PFC is mailing letters to potentially involved individuals with detail about the incident and providing resources they can use to help protect their information. PFC is also offering potentially involved individuals access to free credit monitoring and identity theft protection services through Cyberscout, a leading identity protection company.

Individuals should refer to the notice they received in the mail regarding steps they can take to protect themselves. As a precautionary measure, potentially impacted individuals should remain vigilant to protect against fraud and/or identity theft by, among other things, reviewing their financial account statements and monitoring free credit reports.

If individuals detect any suspicious activity on an account, they should promptly notify the institution or company with which the account is maintained. Individuals should also promptly report any fraudulent activity or any suspected identity theft to proper law enforcement authorities, including the police and their state’s attorney general.

Since the incident, PFC wiped and rebuilt affected systems and has taken steps to bolster its network security. PFC also reviewed and altered its policies, procedures, and network security software relating to the security of systems and servers, as well as how data is stored and managed.