1.9 Million Healthcare Records Breached in Ransomware Attack

US debt collector Professional Finance Company (PFC) has reported a data breach affecting 1.9 million individuals across over 650 different healthcare providers.

The Colorado-based company, which chases outstanding debts for healthcare companies, said that an unauthorized intruder accessed personal data including names, addresses, amount owing, and information regarding payments made to accounts. Some individuals also had their social security number, date of birth, and health insurance and medical treatment information exposed, it warned.

The company noticed the ransomware attack on February 26. It bought in forensics experts and informed law enforcement but did not inform healthcare providers until early May.

“The ongoing investigation determined that an unauthorized third party accessed files containing certain individuals’ personal information during this incident,” PFC said in a disclosure statement. The company added that it only affected data on its own systems.

While this statement did not disclose the number of individuals affected, a listing on the Department of Health and Human Services (DHHS) website revealed that 1,918,841 individuals were affected by the breach.

PFC is contacting individuals potentially affected by the breach and will offer them free credit monitoring.

The Department is currently investigating the incident, which would be the second largest under investigation this year. The first was a breach of two million records reported in May by Shields Health Care Group. That attack potentially affected 2 million records, according to the DHHS.

"Although there's no current evidence that the breached information has been used maliciously, it is not uncommon for attackers to wait for just the right moment to post their breached data to the web,” warned Neil Jones, director of cybersecurity evangelism at security company Egnyte.

Healthcare breaches have been rising steadily since 2011, according to data compiled by HIPAA Journal from the DHHS office earlier this month. In 2011, breaches of over 500 records stood at 199. Last year, they reached 714. 

What’s Hot on Infosecurity Magazine?