back to article 1.9m patient records exposed in healthcare debt collector ransomware attack

Professional Finance Company, a Colorado-based debt collector whose customers include hundreds of US hospitals, medical clinics, and dental groups, recently disclosed that private data – including names, addresses, social security numbers, and health records – for more than 1.9 million people was exposed during a ransomware …

  1. ecofeco Silver badge

    Criminals hack criminals

    While it sucks that personal records were stolen, I have no love for the company either.

    Much like when Equifax was hacked.

    1. Anonymous Coward
      Anonymous Coward

      Re: Criminals hack criminals

      You don't need love for the company, that is irrelevant.

      Love 'em or hate 'em they have your data and have a duty of care over that information.

      Something that is obviously lacking in many cases.

      Let's take this article as an example.

      '"detected and stopped a sophisticated ransomware attack"'

      They may have detected it but they didn't stop it before the damage was done.

      Weasel words in my colloquial, but more commonly known as bullshit.

      And it's always 'sophisticated' isn't it. FFS, it's almost never sophisticated.

      Ah well, tomorrow is another day...

      1. TonyJ

        Re: Criminals hack criminals

        I came here to say exactly the same thing.

        It was always "sophisticated"

        They always "detected and stopped" it

        Which I always assume means "someone opened an email attachment and when their computer locked up with a ransomware message, they called IT, who basically said 'shitting hell we'd best tell the boss'"

        I am not sure what is to be gained out of stealing the details of people from a debt collection agency (and what kind of first world culture puts their own citizens into debt to be treated medically anyway?) - surely there's not much point trying to open e.g. a credit card with their details?

        Not the point at all, I know, but it makes me wonder why the hell the perpetrators bothered other than "they could".

        1. MachDiamond Silver badge

          Re: Criminals hack criminals

          "I am not sure what is to be gained out of stealing the details of people from a debt collection agency ......"

          Any information on a person can have value. Sometimes it's not that somebody can't pay, but that there is a dispute about what's been billed and how much. If an account is past a certain date, automated systems might just hand the details off to a debt collector even if the bill is in dispute.

          If I wanted a complete dossier on somebody, their health records would be handy too. If I'm an insurer and can buy PII from a guy my brother knows through a friend, I might want to do that to see if a new applicant has an existing condition or likes to play so hard they hurt themselves frequently.

        2. Anonymous Coward
          Anonymous Coward

          Re: Criminals hack criminals

          We had an account with a medical debt collection company for several years (not PFC, thankfully). The medical provider offered us 0% interest to pay the couple thousand dollars in installments over 3 years, and when we had another big bill about 2 years later, tacked that on to the amount owed and let us keep paying at the same rate. We COULD have paid 100% up front, but who in their right mind would decline a 0% loan for a couple thousand dollars?

          Now entirely paid off. And yes, the total amount of interest paid was $0.00.

        3. Ken Moorhouse Silver badge

          Re: what is to be gained out of stealing the details of people from a debt collection agency

          A PayDay Loan company would be interested, in order to put them deeper in debt...

        4. John Brown (no body) Silver badge

          Re: Criminals hack criminals

          "I am not sure what is to be gained out of stealing the details of people from a debt collection agency "

          It could help with some very personal and targetted Facebook/other social media posts/adverts from "interested parties" during elections.

      2. Woodnag

        You forgot:

        "Data security is one of PFC’s highest priorities"

    2. Throatwarbler Mangrove Silver badge
      Go

      Re: Criminals hack criminals

      This is the rare case where I wish the ransomware scum had been successful in driving the company out of business.

  2. JacobZ
    Facepalm

    The root cause here...

    ...is that there is such a thing as "healthcare debt", and therefore "healthcare debt collectors".

    The first and best protection against security issues is to minimize the attack surface. Not only does the American health care system provide the worst care at the highest cost, and bankrupt people for reasons beyond their control, it also creates this entire class of security risks that simply should not exist.

    1. skeptical i
      Pint

      Re: The root cause here...

      @JacobZ: Came here to say the same thing but you beat me to it. Have some mental health care. ---->

      1. Little Mouse

        Re: The root cause here...

        There's nothing like a depressant to chase the blues away.

    2. MachDiamond Silver badge

      Re: The root cause here...

      "Not only does the American health care system provide the worst care at the highest cost, and bankrupt people for reasons beyond their control, it also creates this entire class of security risks that simply should not exist.'

      The same thing happens in the UK. If you've been treated for cancer and it returns, you may not be eligable to receive any further treatment unless you pay for it yourself. That can include medications.

      There is a very difficult dilemma when it comes to drawing the line on medical treatment. How much should be spent on a 75 year man whose smoked all his life and ate nothing but bacon sandwiches? What do you do about a child that's still very young but whose body is racked with very aggressive cancers and has a 1% chance of remission? How long is somebody that's been in an accident kept on life support? Balance these with somebody that needs to have a joint fixed so they can walk again or back surgery so the aren't in constant pain. Both of those people aren't going to die, but they are also going to have a poor quality of life and might not be able to work. Whose going to put their neck on the line and take the heat for making priorities in the face of parents with a very ill child?

      Medical services and tax money to pay for them have limits. Health care advancement have improved by leaps and bounds to the point where the body can be kept going far too long. Heroic life saving procedures can rescue somebody from the brink and leave them doing nought else but pumping blood and breathing.

      1. martinusher Silver badge

        Re: The root cause here...

        Actuarial organizations like NICE are necessary because all care has a cost attached to it and -- love it or loath it -- all humans have a limited value. That's not the issue here, though.

        Insurance companies don't pay for treatment unless its pre-authorized, in other words there's already been a form of NICE analysis done on a case and a dollar figure attached to this. Anything above and beyond is the responsibility of the patient, usually in the form of copayments and annual coverage limits. A patient needs to be very careful evaluating providers and different treatment options because if they don't (a situation that most people facing a serious medial condition is likely to be in) because one foot wrong can easily put them on the hook for tens or hundreds of thousands of dollars.

        Medical debt is still the leading cause of personal bankruptcy in the US.

        The Affordable Care Act started to address this system but as it can be really lucrative if worked properly there's been considerable push back with many of the states that champion freedom being reluctant to implement its provisions. There are alternatives to insurance based coverage such as Health Maintainance Organizations (they work a bit like the NHS before successive Conservative governments screwed it up, turning it into a sort of bastardized PPO) but their coverage doesn't include a lot of the Heartland and they can be difficult to join.

  3. wolfetone Silver badge

    What a lovely collection of personal data you have here...

    it'd be a shame if anything was to happen to it, because someone couldn't keep up the repayments on their heart surgery?

    Wouldn't it?

  4. Terje

    If we ignore the base issue at hand (medical debt) and focus on the company, I ask this simple question! It's a debt collector, why does it have medical history records at all?

    1. MachDiamond Silver badge

      "If we ignore the base issue at hand (medical debt) and focus on the company, I ask this simple question! It's a debt collector, why does it have medical history records at all?"

      Exactly! We can get mired in all sorts of arguments about the cost of health care and who pays the bill, but why does a debt collection agency need somebody's medical records? I don't see that they do and shouldn't it be a violation of some law or act for those records to be released to a third party?

  5. Anonymous Coward
    Anonymous Coward

    Medical debt

    Hi, its something I want to see changed.

    Many people pay the hospital and other charges, then months or years later get hit with a ridiculous amount that is simply impossible to pay and puts them in bankruptcy.

    Its bad enough that some with chronic health conditions and no insurance are getting DNR/DNT living wills stating no medical intervention, the problem here is when EMTs find this they are in an impossible situation where "required" by their contracts to treat someone who has specifically refused treatment.

    Personally I think this is exactly why the FDA and Big Pharma should be reined in by Fed and the market allowed to choose what needs to be done about excessive charges.

    $200,000 for 2 days in hospital is an outrage!

    1. Throatwarbler Mangrove Silver badge
      WTF?

      Re: Medical debt

      I was with you, more or less, until this sentence:

      "Personally I think this is exactly why the FDA and Big Pharma should be reined in by Fed and the market allowed to choose what needs to be done about excessive charges."

      The FDA is a federal agency whose job is to, in part, rein in the pharmaceutical industry. One can quibble about its effectiveness in doing so (*cough* regulatory capture *cough*), but in practical terms, you're asking the federal government to rein itself in. Separately, the free market is the fucking problem with the health care system in the US. The health care industry charges what the market will bear in regards to health, and it turns out that, yes, people are willing to bankrupt themselves to stay the fuck alive. What most people want is to have "market pricing" reined in.

    2. MachDiamond Silver badge

      Re: Medical debt

      "$200,000 for 2 days in hospital is an outrage!"

      That's the price for allowing juries to award unlimited amounts of money in a lawsuit. That money has to come from somewhere so insurance companies that wind up paying raise their rates forcing doctors and hospitals to raise their rates.'

      What was it that Mr Shakespeare said regarding lawyers?

  6. Anonymous Coward
    Anonymous Coward

    Let's ask that annoying question again

    .. just so the apologists have something to do.

    Which OS was underneath underneath each exposure?

    Just curious :).

  7. Anonymous Coward
    Anonymous Coward

    Are they going to be collecting UK data?

    Government is SO keen on letting the big American "health providers" access to the NHS budget.

    1. Woodnag

      What do you mean, "are they?"

      Palantir already had access to UK health data, to name just one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like