This class action brings suit against Professional Finance Company, Inc. (PFC), alleging that it did properly secure the personally identifiable information (PII) and protected health information (PHI) it stored in its systems. The complaint alleges that PFC bears responsibility, first for the data breach it suffered, and also for the fact that it did not give the individual victims timely, complete, or adequate notice of the event afterwards.
The class for this action is all US residents whose private information was actually or potentially accessed or acquired in the data breach announced in the Notice of Cybersecurity Incident PFC sent out on or around July 1, 2022.
PFC is a debt collector, also known as an “accounts receivable management” company that handles unpaid bills for clients that include healthcare providers, financial organizations, and government agencies. On its website, the complaint alleges, PFC claims it is “[f]ully compliant with all regulations, specifically … HIPAA (Health Insurance Portability and Accountability Act).”
On or around February 26, 2022, said the Notice of Cybersecurity Incident posted on PFC’s website, PFC “detected and stopped” a ransomware attack. As part of that attack, the PFC Notice said, an “unauthorized third party accessed and disabled some of PFC’s computer systems[.]” The complaint alleges that the company engaged a forensic specialist and found out that 657 healthcare provider clients had been affected.
Unfortunately, according to the complaint, the Notice was only posted on or around July 1, 2022.
The information stolen included names, account receivable balances, account payment information, and, for some persons, birth dates, Social Security numbers, and health insurance and medical treatment information.
The complaint makes a startling accusation: “Upon information and belief,” it alleges, “at the time of the Data Breach, the PII and PHI of Plaintiff and Class Members were accessible from the [I]nternet, regardless of whether there were any security mechanisms that [PFC] mistakenly believed would safeguard the PII and PHI from unauthorized access via the [I]nternet.” It also claims that at the time of the data breach, none of the information was encrypted.
The complaint alleges, “This PII and PHI was subject to unauthorized access and/or acquisition due to [PFC’s] negligent and/or careless acts and omissions and the failure to protect the PII and PHI of Plaintiff and Class Members.” It adds that PFC’s “conduct amounts to negligence and violates federal and state statutes.”
PFC, it says, “intentionally, willfully, recklessly, or negligently fail[ed] to take and implement adequate and reasonable measures” to protect the information that was entrusted to it.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Professional Finance Company Data Breach Complaint
July 14, 2022
This class action brings suit against Professional Finance Company, Inc. (PFC), alleging that it did properly secure the personally identifiable information (PII) and protected health information (PHI) it stored in its systems. The complaint alleges that PFC bears responsibility, first for the data breach it suffered, and also for the fact that it did not give the individual victims timely, complete, or adequate notice of the event afterwards.
Professional Finance Company Data Breach ComplaintCase Event History
Professional Finance Company Data Breach Complaint
July 14, 2022
This class action brings suit against Professional Finance Company, Inc. (PFC), alleging that it did properly secure the personally identifiable information (PII) and protected health information (PHI) it stored in its systems. The complaint alleges that PFC bears responsibility, first for the data breach it suffered, and also for the fact that it did not give the individual victims timely, complete, or adequate notice of the event afterwards.
Professional Finance Company Data Breach Complaint