Professional Finance Company (PFC) Inc. details what could be the largest healthcare data breach this year

DESCRIPTION

Professional Finance Company (PFC) Inc is a debt collection and accounts receivable management company that caters to healthcare, government, and utility organizations across the U.S. PFC provided details into what could be the largest healthcare data breach this year. The company released a list of organizations whose data may have been compromised due to a ransomware attack on PFC in February 2022. The company began contacting the patients of affected organizations on May 5, 2022. Compromised data included names, contact information, birth dates and social security numbers (SSN) as well as other details regarding health insurance, medical treatments, and payment information. Evidence shows that the data was accessed prior to the encryption attack. While forensics have not been able to confirm whether any data was misused by the attackers, the possibility has not been ruled out.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

The attack was detected by a third-party cybersecurity platform on February 23, 2022. The platform vendor confirmed that the attack was carried out by the Quantum ransomware gang and that data was exfiltrated using various command line tools. Quantum is a rebranding of an earlier ransomware called MountLocker. As a calling card, the gang appends a .quantum file extension to the encrypted files. Quantum currently has a reputation of encrypting files in record time. While other ransomware strains such as Conti can take multiple weeks to encrypt all the files within a company’s on-prem domain, Quantum can complete the encryption process in a matter of hours.

CONTAINMENT (If IoCs are identified)

PCF stated that while they were able to block the encryption attempt, some of their systems were brought down during the attack. The company is providing credit monitoring to all of those whose identity may have been compromised at no cost.

FBI ALERT

The announcement of PCF comes days after a cybersecurity advisory was issued by the FBI and Cybersecurity and Infrastructure Security Agency (CISA) regarding a state sponsored series of attacks directed at the U.S. healthcare sector by a North Korean sponsored ransomware organization. The attacks have been taking place since May 2021 using the Maui ransomware. The attacks specifically target servers to bring down diagnostic, imaging, and intranet services for prolonged periods.

PREVENTION

Healthcare organizations are urged to prepare for these types of attacks by taking the following measures:

  • Enforce least privilege security measures for all standard user accounts so that regular users do not have local admin rights that can be exploited if an account is compromised
  • Utilize SSL certificates to authenticate connections and encrypt communication for IoT medical devices and electronic record systems to order to prevent data in transit from being captured or manipulated
  • Encrypt any data repositories that host personal and patient identifiable information to secure it at rest
  • Keep all operating systems, software applications and firmware updated to the latest versions to prevent threat actors from exploiting patch vulnerabilities
  • Use monitoring tools to observe and detect any non-prescribed behavior regarding applications or IoT devices
  • Require administrator credentials to install all software on computer device
  • Audit all user accounts with administrative rights or escalated privileges

Be prepared to provide a brief background of your business, a summary of how the attack has affected its operations.

Ensure your Incident Response Readiness (IRR) in the event of attack. Review your security and risk profile.