Ransomware attack leaks 1.9m patient records
Personal data of 1.9 million patients at Professional Finance Company, a Colorado-based debt collector, has been exposed in a ransomware attack, according to the US Department of Health and Human Services.
In a notice published on the company’s website, the firm stated it was able to detect and stop the breach but not before an unauthorised third party had managed to access personal information of more than 650 healthcare providers.
Sensitive data including names, addresses, and on occasion, social security numbers and health records had been obtained. PFC said it is offering those impeded access to free credit monitoring and identity theft protection services through Cyberscout, an identity protection company.
The debt collector said it had notified respective providers and is mailing letters to those who may have been affected with details about the incident, which is rumoured to be one of the largest US medical information data breaches of the year, and in the past two years, this breach rates the fifth biggest case out of those that are currently under investigation by the Office for Civil Rights.
The US healthcare system has experienced multiple breaches over the past decade, the largest taking place in 2015 in which 80 million policyholders at Anthem Blue Cross had their data stolen.
Anthem said that information including names, birth dates, email and street addresses had been obtained by scammers, but that access was immediately shut down and every Anthem employee was required to reset their passwords.
Anthem notified the Federal Bureau of Investigation once the breach was discovered and similarly offered free credit monitoring and identify protection services to all those affected.
PFC added that it had “found no evidence that personal information has been specifically misused”, but added that it was “possible” that it had been made accessible.
The company claimed that it immediately engaged third party forensic specialists to assist with the incident and it maintains that “data security is one of the PFC’s highest priorities”.
According to PFC, it has wiped and rebuilt the affected systems and has taken steps to “bolster” its network security in a bid to withstand any further attacks.
Subscribe to our Editor's weekly newsletter