Professional Finance Company Inadequate Protection of Private Information Class Action

Professional Finance Company, Inc. (PFC) is an accounts receivable management company, sometimes called a debt recovery agency or debt collector, that was attacked by cybercriminals in February 2022. The complaint for this class action faults PFC for not taking adequate measures to safeguard the personally identifiable information (PII) and protected health information (PHI) of individuals in its files.

The Nationwide Class for this action is all US residents whose private information was compromised in the data breach revealed by PFC in its Breach Notice. A Colorado Class has also been defined for Colorado residents whose private information was compromised in the data breach revealed by PFC in its Breach Notice.

PFC is a leading debt recovery agency that attempts to collect debts for healthcare providers, retailers, financial organizations, and government agencies. It stores a great deal of private information which has been provided not by the subjects of that information but by its debt recovery clients.

The complaint quotes PFC’s privacy policy as saying that the company is “serious about data security” and that it “seek[s] to implement the best practices in data collection, storage, processing, and security to protect against unauthorized access and disclosure.”

Despites these statements, the complaint alleges that on February 26, 2022, the company was attacked by cybercriminals who were able to “access[] and disable[] some of its computer systems.” The forensic expert hired by PFC determined, the complaint alleges, that 657 of its healthcare provider clients’ files were affected.

The complaint alleges that the accessed files included such things as names, addresses, information about payments, and for some individuals, birth dates, Social Security numbers, health insurance information, and medical treatment information.

PFC found out about the data breach in February but the complaint claims it did not begin notifying the individuals affected until May 5, 2022. The complaint alleges, that PFC “delayed in sending notices of the Data breach even though it is well aware of the need to move quickly in responding to [d]ata breach events due to the nature of its business and the sensitive information it maintains.”

The complaint claims that the information was exposed because of PFC’s “negligent and/or careless acts and omissions and the failure to protect the Private Information…” and that the company “did not use reasonable security procedures and practices appropriate to the nature of the sensitive, unencrypted information they were maintaining … causing the exposure of Private Information.”

The complaint further faults PFC for disclosing very little about the incident, such as “when cybercriminals hacked its systems, how PFC allowed them to do so, why PFC was unable to stop it, and what information hackers obtained and from whom.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy