Professional Finance Company Inc. (PFC), disclosed that it suffered a ransomware attack in February that affected over 600 healthcare organizations.
PFC did not disclose the group responsible for the attack, but cyber security experts attributed the incident to the Quantum ransomware gang.
The healthcare vendor disclosed in a data breach notification that the attack compromised sensitive information for more than one million patients.
Ransomware attack exposed data for millions of healthcare organizations’ clients
The ransomware attack also exposed sensitive patient information such as patients’ first and last names, addresses, account receivable balance, and information regarding payments made to accounts.The data breach also exposed dates of birth, social security numbers, and health insurance and medical treatment information for some patients.
PFC disclosed that the February data breach impacted 657 covered entities. The complete list of affected organizations was also published online. Meanwhile, the company has found no evidence that the stolen patient data has been misused or exchanged hands.
PFC reported to the Office for Civil Rights in the Human and Health Services department that about 1,918,941 individuals were affected. However, based on the individual healthcare organizations’ estimates, the number of impacted individuals could far exceed two million.
For example, Eye Care Leaders reported that the PFC ransomware attack and subsequent data breach affected at least 2.2 million clients. Similarly, Delaware’s Bayhealth Medical Center confirmed that more than 17,000 individuals affiliated with the facility were affected.
Other impacted healthcare organizations include Kernersville Eye Surgeons (13,412), Long Vision Center (29,237), Stokes Regional Eye Centers (266,170), Aloha Laser Vision (43,263), Center for Sight (41,041), and Mattax Neu Prater Eye Center with 92,361 affected individuals.
Some impacted healthcare organizations have also independently reported the data breach to the relevant authorities.
Finance company initiated incident response plan following a ransomware attack
The Greeley, Colorado-based accounts receivable management company said it disconnected some computers after access by a sophisticated third party during the ransomware attack.
The healthcare vendor said it “detected and stopped a sophisticated ransomware attack in which an unauthorized third party accessed and disabled some of PFC’s computer systems.”
Additionally, PFC engaged an external cyber forensic expert to investigate the incident after detecting the ransomware attack on February 26, 2022. The company started notifying the affected healthcare organizations around May 5.
Additionally, the company will offer the affected individuals complimentary credit monitoring services and identity theft protection. However, the victims should remain vigilant of identity theft by monitoring their financial statements and credit reports.
The management company said it rebuilt its systems and took additional steps to bolster its cyber defenses after the security incident.
“Data security is one of PFC’s highest priorities. Since the incident, PFC wiped and rebuilt affected systems and has taken steps to bolster its network security,” PFC stated.
“PFC also reviewed and altered its policies, procedures, and network security software relating to the security of systems and servers, as well as how data is stored and managed,” the company stated.
Healthcare organizations face increased cyber threats
Stephan Chenette, Co-Founder and CTO at AttackIQ, highlighted the string of ransomware attacks against healthcare organizations.
“The healthcare industry is one of the largest targets for cybercriminals, and since the onset of the COVID-19 pandemic, we’ve seen threat actors leverage this global crisis to target healthcare organizations — stealing this protected health information (PHI) and creating general unrest,” said Chenette.
The account receivable management company did not attribute the ransomware attack to any hacking group. However, AdvIntel’s CEO Vitali Kremez suggested that the Quantum ransomware gang was responsible for the PFC attack.
Quantum ransomware gang is a sub-group of the Conti cybercrime gang that recently closed operations. Conti members have systematically joined other gangs such as AvosLocker, Bazarcall, BlackByte, BlackCat, Hello Kity, and Hive.
“To best defend against Quantum ransomware attacks, it’s important to understand the common tactics, techniques, and procedures used by the adversary,” Chenette added. “In doing so, organizations can build more resilient security detection, prevention and response programs mapped specifically to those known behaviors.”
The PFC breach mirrors the American Medical Collection Agency (AMCA) incident that impacted 26 million individuals. So far, the 2019 AMCA security incident remains one of the most significant healthcare data breaches in history.
Nick Tausek, Lead Security Solutions Architect at Swimlane, identified the sensitive data held by healthcare organizations as the incentive for ransomware attacks.
“Healthcare organizations and their affiliates face unique challenges to efficiently manage information security due to their large, distributed networks and complex electronic health record platforms that store highly sensitive and valuable protected health information,” he added.
Tausek noted that the path to recovery was a bumpy ride because of the potential penalties for failure to detect and report unauthorized access. He advised healthcare organizations to adopt incident response and reporting automation to protect patient data and comply with numerous data protection regulations.
“The cost of a data breach in the healthcare industry is the highest of any vertical – IBM puts the average cost at 9.2M per incident in 2021,” said Sally Vincent, Senior Threat Researcher at LogRhythm. “Hospitals and healthcare organizations must be prepared for such attacks and strengthen their incident and response plans in order to quickly mitigate the impact of breaches.”