Posted On July 9, 2022 Consumer Privacy & Data Breaches
July 8, 2022 – Bayhealth Medical Center, Inc. posted notice of a data breach on July 5, 2022, that affected the sensitive information of as many as 17,481 patients. The company explained that the incident involved a breach at one of the company’s vendors, Professional Finance Company, Inc. (“PFC”). As a result of the PFC data , patients’ first and last names, addresses, dates of birth, Social Security numbers, health insurance information and medical treatment information were accessible to an unauthorized party.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Bayhealth data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Bayhealth Medical Center, Inc.
The Bayhealth/PFC data breach is somewhat unique because although the breach affected the information of Bayhealth patients, it did not involve the medical center’s data security system. Instead, hackers were able to exploit weaknesses in PFC’s system.
PFC is a debt collection company that works with other organizations to recover their overdue accounts. Bayhealth has an arrangement with PFC under which PFC attempts to collect payment for certain Bayhealth patient accounts. To enable PFC to effectively collect debts, Bayhealth provides PFC with patient information.
Because the Bayhealth/PFC data breach didn’t involve Bayhealth’s data security systems, the company did not provide a data breach notice of its own—at least not yet. However, the Bayhealth website briefly explains the breach and provides a link to the PFC data breach letter.
Essentially, the PFC breach stems from a February 2022 ransomware attack that resulted in an unauthorized party gaining access to the sensitive information on PFC’s servers. According to PFC, the company “detected and stopped” almost immediately; however, after conducting an investigation, unauthorized access could not be ruled out. Thus, PFC reviewed all of the data that was accessible to the unauthorized party. This investigation confirmed that the unauthorized third party accessed files containing certain individuals’ personal information during this incident, including patients’ first and last names, addresses, dates of birth, Social Security numbers, health insurance information and medical treatment information.
On May 5, 2022, Professional Finance Company sent data breach letters to all affected patients, and, on June 30, 2022, Bayhealth filed official notice of the breach with the U.S. Department of Health and Human Services Office for Civil Rights.
Then, on July 5, 2022, Bayhealth posted notice of the breach on its website, in which the company notes that the breach impacted 17,481 Bayhealth patients.
Professional Finance Company explains that, aside from Bayhealth, there were approximately 650 other providers affected by the breach. It remains to be seen how many individuals in total were affected by the PFC data breach; however, given the scope of the breach, it is possible that it may be the largest healthcare data breach of 2022.
Bayhealth Medical Center, Inc. is a not-for-profit healthcare provider based in Dover, Delaware. Bayhealth is made up of Bayhealth Hospital, Kent Campus and Bayhealth Hospital, Sussex Campus, an Emergency Department in Smyrna, as well as numerous satellite facilities and physician practices covering a range of specialties. Bayhealth is affiliated with Penn Medicine for Heart and Vascular, Cancer and Orthopedics. Bayhealth Medical Center employs more than 4,000 people and generates approximately $587 million in annual revenue.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Bayhealth data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Bayhealth Medical Center, Inc. (the actual notice sent to consumers can be found here):
Professional Finance Company, Inc. (PFC) is notifying individuals whose information may have been involved in a recent network security incident. PFC is an accounts receivable management company that provides assistance to various organizations (including healthcare providers). Visit PFC’s website here for more information.