A ransomware attack on a little-known debt collection company that serves hundreds of hospitals and medical facilities across the United States could be one of the biggest personal and healthcare data breaches this year.

The Colorado-based Professional Finance Company, known as PFC, which contracts with “thousands” of organizations to process unpaid bills and outstanding balances from customers and patients, revealed on July 1 that it had been hit by ransomware months earlier in February.

PFC said in its data breach notice that more than 650 healthcare providers are impacted by its ransomware attack, adding that the attackers took patients’ names, addresses, outstanding balances and health information. account. PFC said that in “some cases” dates of birth, social security numbers, and health insurance and medical treatment information were also taken by the attackers.

In a separate filing with the US Department of Health and Human Services, PFC confirmed that more than 1.91 million patients are affected by the cyberattack.

At least two healthcare organizations listed as affected by the PFC have issued their own data breach notifications. Bayhealth Medical Center in Delaware said 17,481 patients were affected by the PFC breach, while Coleman County Medical Center in Texas disclosed the breach to 1,159 patients.

The attack on PFC is the second largest after a March 2022 data breach at Shields Health Care Group, a medical imaging company with facilities across New England, affecting approximately two million patients.

PFC Managing Director Michael Shoop did not respond to our email requesting information about his ransomware attack. Instead, the company’s general counsel, Nick Prola, reiterated his boilerplate statement in an email, but declined to answer our specific questions, including why it took the company four months. to notify affected healthcare providers and whether the stolen data was encrypted.

This is not the first time that a debt collection company has been targeted by cybercriminals and resulted in a massive theft of personal information. At least 20 million patients had their data stolen when AMCA, a medical debt collector contracted to lab testing giants LabCorp and Quest Diagnostics, suffered a data breach. AMCA later filed for bankruptcy following the breach.

You can reach this reporter on Signal and WhatsApp at +1 646-755-8849 or email [email protected]