A ransomware attack on a little-known debt collection firm that serves hundreds of hospitals and medical facilities across the U.S. could be one of the biggest data breaches of personal and health information this year.
The Colorado-based Professional Finance Company, known as PFC, which contracts with “thousands” of organizations to process customer and patient unpaid bills and outstanding balances, disclosed on July 1 that it had been hit by ransomware months earlier in February.
PFC said in its data breach notice that more than 650 healthcare providers are affected by its ransomware attack, adding that the attackers took patient names, addresses, their outstanding balance and information relating to their account. PFC said that in “some cases” dates of birth, Social Security numbers and health insurance and medical treatment information were also taken by the attackers.
In a separate filing with the U.S. Department of Health and Human Services, PFC confirmed that more than 1.91 million patients are affected by the cyberattack.
At least two healthcare organizations listed as affected by PFC have issued their own data breach notifications. Bayhealth Medical Center in Delaware said 17,481 patients were affected by the PFC breach, while Coleman County Medical Center in Texas disclosed the breach to 1,159 patients.
The attack on PFC is second only in size to a March 2022 data breach at Shields Health Care Group, a medical imaging company with facilities across New England, affecting an estimated two million patients.
PFC chief executive Michael Shoop did not respond to our email asking for information about its ransomware attack. Instead, the company’s general counsel Nick Prola reiterated its boilerplate statement in an email but declined to answer our specific questions, including why it took the company four months to notify affected healthcare providers and whether the stolen data was encrypted.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
It’s not the first time a debt collection firm has been targeted by cybercriminals and resulted in a massive theft of personal information. At least 20 million patients had data stolen when AMCA, a medical debt collector contracted with laboratory testing giants LabCorp and Quest Diagnostics, was hit by a data breach. AMCA subsequently filed for bankruptcy following the breach.
You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@alltechnewstime.com by email.
