Vendor Ransomware Attack Impacts 660 Healthcare Organizations

July 06, 2022 - Professional Finance Company (PFC), an accounts receivable management agency based in Greeley, Colorado, disclosed a ransomware attack that impacted 660 of its healthcare organization clients.

According to a notice on its website, PFC “detected and stopped a sophisticated ransomware attack in which an unauthorized third party accessed and disabled some of PFC’s computer systems.”

PFC discovered the attack on February 26, 2022 and immediately engaged forensic specialists to secure its environment and investigate the incident. The investigation revealed that an unauthorized party accessed files containing certain personal information, and PFC began notifying impacted healthcare providers around May 5.  

Although there has been no evidence of misuse, the unauthorized party may have accessed first and last names, accounts receivable balance and information regarding payments, addresses, birth dates, health insurance and medical treatment information, and Social Security numbers.

Individual reports from healthcare entities are slowly being added to the Office for Civil Rights (OCR) data breach portal. Bayhealth Medical Center in Delaware reported that the incident impacted 17,481 individuals affiliated with the center. The full list of impacted entities can be found here.

“Data security is one of PFC’s highest priorities. Since the incident, PFC wiped and rebuilt affected systems and has taken steps to bolster its network security,” the notice stated.

“PFC also reviewed and altered its policies, procedures, and network security software relating to the security of systems and servers, as well as how data is stored and managed.”

Eye Care Leaders EMR Breach Update

Several more organizations reported that they had been impacted by the Eye Care Leaders EMR breach. As previously reported, Eye Care Leaders, which offers an ophthalmology-specific EMR solution, experienced unauthorized access to its myCare Integrity system in December 2021.

The incident has impacted 2 million individuals and counting, making it the largest reported healthcare data breach of 2022 so far. The following organizations added themselves to the long list of impacted organizations recently:

• Kernersville Eye Surgeons: 13,412 individuals impacted
• Long Vision Center: 29,237 individuals impacted
• Stokes Regional Eye Centers: 266,170 individuals impacted
• Aloha Laser Vision 43,263 individuals impacted
• Center for Sight: 41,041 individuals impacted
• Mattax Neu Prater Eye Center: 92,361 individuals impacted

Benefit Plan Administrators Reports Security Incident

Virginia-based Benefit Plan Administrators (BPA), which provides public and private companies with self-funded benefit plans, disclosed a data breach that occurred on September 13, 2021. BPA disclosed the breach on behalf of Alpha Natural Resources Non-Union VEBA Trust and Williamson Employment Services, two HIPAA-covered entities.

BPA said that the unauthorized network access potentially resulted in the removal of files containing names, birth dates, Social Security numbers, claims information, gender classification, and medical information.

The OCR data breach portal lists the breach as four separate incidents, impacting 1,267, 735, 628, and 1,145 individuals, respectively.

Although the event occurred in September, BPA said it began notifying impacted individuals on June 15, 2022. BPA provided complimentary credit monitoring services to impacted individuals.