More healthcare providers now rely on outside vendors for billing and data management. However, as this grows, so does the risk of exposing patient information. In 2024, the industry saw 588 breaches affecting nearly 180 million records, the highest ever reported. One such data breach involved Professional Finance Company (PFC), a debt collector tied to hundreds of medical providers. It’s a stark reminder that one weak link can lead to widespread impact and why strong compliance matters at every level.
Table of Contents
Who Is Professional Finance Company (PFC)?
The PFC Data Breach Incident
Professional Finance Company Lawsuit Details
How Vendors Share Breach Information With Healthcare Partners
The Impact of the Data Breach on Healthcare Patients
How the PFC Breach Affected Healthcare Providers
Mistakes That PFC Made That Allowed the Incident To Happen
What PFC Did Right When Responding to the Breach
How You Can Protect Your Business From Ransomware
Stay Compliant and Protect Patient Data with ITonDemand
Who Is Professional Finance Company (PFC)?
Professional Finance Company, Inc. (PFC) is a debt collection agency based in Greeley, Colorado. Founded in 1904, the company works with healthcare, retail, finance, and government organizations. It helps them recover unpaid debts through third-party collections, early-out programs, and debt purchasing. PFC provides debt recovery services while offering online payment options for consumers. The company emphasizes a professional approach to collections and highlights its long-standing industry experience.
The PFC Data Breach Incident
In February 2022, Professional Finance Company (PFC) detected and stopped a Quantum ransomware attack that had disrupted parts of its computer systems. An investigation found that an unauthorized third party had accessed files during the breach. These files contained personal information tied to individuals PFC’s clients served, many of whom were healthcare organizations.
The type of information exposed varied. For some, it included names, addresses, account balances, and payment history. For others, it also involved Social Security numbers, birth dates, and health-related details like insurance or treatment information. Although there was no evidence the data had been misused, PFC began notifying affected organizations and sending letters to individuals whose information may have been involved.
In response, PFC offered free credit monitoring and identity theft protection. It also set up a dedicated call center to help individuals with questions or concerns. Internally, the company rebuilt affected systems and made changes to improve its security, including updates to its policies, procedures, and how sensitive data is stored.
In the months that followed, questions were raised about how the incident was handled. This eventually led to a class action lawsuit, claiming PFC failed to safeguard personal information properly. After more than two years, the case resulted in a settlement in 2024.
Professional Finance Company Lawsuit Details
After the data breach happened to Professional Finance Company in February 2022, a class action lawsuit was filed. The lawsuit claimed PFC did not do enough to protect sensitive personal information. It also argued that the company’s security measures were not strong enough, putting people at risk for identity theft and fraud.
Settlement Terms
PFC agreed to pay $2.5 million into a fund to settle the case. This is a non-reversionary settlement, meaning all the money will go to affected individuals. None of it will go back to the company.
Who Can Get Compensation?
People whose personal information was exposed in the breach may be eligible. Those whose Social Security numbers (SSNs) were compromised have extra benefits.
What Does the Settlement Offer?
If your SSN was exposed:
- You can request up to $500 to cover out-of-pocket costs related to the breach.
- You get 24 months of free credit monitoring.
- If you lived in California when the breach happened, you may also receive a $50 cash payment.
If your SSN was not exposed:
- You can still receive 24 months of free identity theft monitoring.
Important Legal Deadlines
- Submit a claim by: April 25, 2025
- Final court hearing on: April 17, 2025
More details are available on the official settlement website.
How Vendors Share Breach Information With Healthcare Partners
Information must be shared quickly and clearly when a data breach involves a third-party billing company. That’s why there are HIPAA breach notification rules that companies must comply with. In the case of the PFC breach, the payment vendor sent breach notification letters to patients and providers. These letters explained what patient data was exposed, including sensitive medical data, payment details, and other compromised information.
Vendors like PFC are expected to keep healthcare partners informed during a security incident. Vendor contracts often include rules about how and when to share details about data access or potential threats. Clear updates help providers act fast, meet reporting deadlines, and keep patients informed. This kind of communication is also critical when dealing with malicious actors and protecting patient trust.
The Impact of the Data Breach on Healthcare Patients
The breach involving PFC’s computer systems affected close to 2 million healthcare patients. PFC worked with hundreds of providers, including UCHealth and Shields Health Care Group. Because of that, the impact reached across many connected health information systems. Some of the patients had received services like medical imaging, outpatient surgeries, or billing support tied to these organizations.
The exposed data included key parts of a person’s digital identity. That may have involved names, dates of birth, Social Security numbers, insurance details, and medical treatment information. With that much information at risk, the chances of identity theft are much higher. Criminals could use the data for financial fraud or even file false medical or insurance claims. Patients are encouraged to watch their financial and healthcare accounts for suspicious activity.
The breach was also listed on the Department of Health and Human Services (HHS) breach reporting portal, showing the widespread exposure. This incident reminds patients that even if care is delivered safely, their personal information can still be at risk through third-party systems behind the scenes.
How the PFC Breach Affected Healthcare Providers
The PFC data breach affected 657 healthcare providers across the country. That included large systems like Banner Health, Renown Health, DispatchHealth, and Eye Care Leaders. These providers used PFC to manage billing and accounts receivable. When PFC’s systems were compromised, it caused major disruptions and raised concerns about how patient information was being handled.
Many healthcare practices had to shift time and staff to deal with the fallout. They worked with PFC to send breach notifications, respond to patient questions, and comply with data breach laws. Even though the data breach came from a third-party billing company, patients often looked to the providers for answers. That damaged trust and brought attention to how healthcare providers manage vendor relationships, especially when those vendors handle sensitive medical and financial data.
Mistakes That PFC Made That Allowed the Incident To Happen
Some of the issues that led to the breach appear to be tied to weak security practices. The size of the incident suggests PFC may not have had strong enough protections in place, such as updated software, proper access controls, or segmented systems to limit the spread of an attack. Once inside the network, the attackers were able to access a large amount of sensitive information, which may not have been properly encrypted or restricted.
Another issue was the delay in notifying clients. The attack happened in late February, but healthcare providers weren’t notified until early May, about two months later. That timeline raises concerns about whether the company met the notification rules under HIPAA and whether individuals could have acted sooner to protect themselves. There’s also no public indication that PFC had a well-tested incident response plan, which could have helped reduce the damage.
What PFC Did Right When Responding to the Breach
After the ransomware attack, Professional Finance Company took several steps to respond quickly. The company detected and stopped the attack early, which helped limit the damage. They hired outside cybersecurity experts to investigate what happened and to check how far the breach had gone. PFC also reported the incident to federal law enforcement. On May 5, 2022, they informed their healthcare provider clients about the breach. That gave those organizations time to respond and notify the people whose information may have been involved.
To help affected individuals, PFC is offering free credit monitoring and identity theft protection. They also set up a call center to answer questions and provide support. Inside the company, they rebuilt the affected systems and made changes to improve their security. That included updating their policies, procedures, and the way they store and manage personal data. These actions suggest that PFC took meaningful steps to contain the breach and reduce its impact.
How You Can Protect Your Business From Ransomware
Ransomware attacks can cause severe financial and reputational damage, especially if sensitive data is compromised. While no system is perfect, there are practical steps businesses can take to reduce risk and respond effectively if an attack occurs. Here are a few to consider:
- Keep all software and systems updated with the latest security patches.
- Use strong access controls and require multi-factor authentication (MFA).
- Back up critical data regularly and store backups offline or in secure cloud environments.
- Train employees to recognize phishing attempts and suspicious links.
- Limit access to sensitive data based on role or business need.
- Monitor systems for unusual activity and respond quickly to alerts.
- Develop and test an incident response plan before you need it.
Even basic cybersecurity improvements can make a big difference. Taking proactive steps now can help your business avoid costly disruptions later.
Stay Compliant and Protect Patient Data with ITonDemand
The PFC data breach shows how one weak link, whether a provider or a vendor, can expose sensitive patient data and disrupt entire healthcare operations. Compliance isn’t just a legal requirement; it’s a critical layer of defense against growing cybersecurity threats.
ITonDemand offers certified HIPAA compliance services designed to help healthcare organizations and their vendors safeguard patient information. From risk assessments to policy management, we help ensure your systems meet regulatory standards and stay secure. If you’re ready to strengthen your compliance posture, we’re here to help.
