Professional Finance Company Exposure of Data Class Action

Professional Finance Company, Inc. (PFC) is a debt recovery agency that helps collect debts owed to retailers, healthcare providers, financial organizations, and government agencies. As such, it holds a great deal of private information, including the personally identifiable information (PII) and protected health information (PHI) of the alleged debtors. The complaint for this class action alleges that PFC did not take adequate measures to safeguard this PII and PHI, which led to the information being exposed in a cybersecurity attack.

Two classes have been proposed for this action:

The Nationwide Class is all US residents whose private information was actually or potentially accessed or acquired during the data breach in the Notice of Data Breach that PFC published on or about July 1, 2022.

The California Class is all California residents whose private information was actually or potentially accessed or acquired during the data breach in the Notice of Data Breach that PFC published on or about July 1, 2022.

The complaint alleges, “By obtaining, collecting, using, and deriving a benefit from the Private Information…, [PFC] assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.”

PFC discovered the data breach on February 26, 2022, the complaint alleges, when it found that unauthorized parties had “accessed and disabled some of [PFC’s] computer systems…” When it investigated, with the help of a forensic specialist, the complaint claims, PFC found that 657 of its health provider clients had been affected.

The complaint alleges that the information that was accessed or stolen included PII such as names, addresses, information about payments, and, for some individuals, birth dates, Social Security numbers, health insurance information and medical treatment information.

Although PFC discovered the data breach in February, the complaint alleges the company did not inform the individuals whose information was exposed until on or about July 1, 2022.

The complaint alleges that PFC “could have prevented this Data Breach by properly securing and encrypting the systems containing Plaintiff’s and Class Members’ PII and PHI. Alternatively, [PFC] could have destroyed the data, especially for individuals with whom it had not had a relationship for a period of time.”

The complaint provides long lists of measures that PFC could have taken to strengthen the security of its systems, with recommendations from the US government, the US Cybersecurity & Infrastructure Security Agency, and the Microsoft Threat Protection Intelligence Team.

The company’s negligence is made worse, the complaint claims, because companies like PFC have had repeated warnings and alerts about the possibility of data breaches.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy