On July 5, 2022, Bayhealth Medical Center, Inc. posted notice of a data breach that affected the sensitive information of as many as 17,481 patients. In its notice, Bayhealth explained that the incident involved a breach at one of the company’s vendors used to collect patient debts, Professional Finance Company, Inc. (“PFC”). As a result of the Professional Finance Company data breach, patients’ first and last names, addresses, dates of birth, Social Security numbers, health insurance information and medical treatment information were accessible to an unauthorized party. However, Bayhealth is only one of approximately 650 healthcare practices affected by the PFC breach, many of which have yet to report the incident. Thus, the total number of parties affected by the PFC breach remains unknown.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Bayhealth Medical Center data breach, please see our recent piece on the topic here.
The Bayhealth Medical Center and PFC Data Breach Timeline
The Bayhealth/PFC data breach is somewhat unique because although the breach affected the information of Bayhealth patients, it did not involve the medical center’s data security system. Instead, hackers were able to exploit weaknesses in PFC’s system.
PFC is a debt collection company that works with other organizations to recover their overdue accounts. Bayhealth has an arrangement with PFC under which PFC attempts to collect payment for certain Bayhealth patient accounts. To enable PFC to effectively collect debts, Bayhealth provides PFC with patient information.
Because the Bayhealth/PFC data breach didn’t involve Bayhealth’s data security systems, the company did not provide a data breach notice of its own—at least not yet. However, the Bayhealth website briefly explains the breach and provides a link to the PFC data breach letter.
Essentially, the PFC breach stems from a February 2022 ransomware attack that resulted in an unauthorized party gaining access to the sensitive information on PFC’s servers. According to PFC, the company “detected and stopped” almost immediately; however, after conducting an investigation, unauthorized access could not be ruled out. Thus, PFC reviewed all of the data that was accessible to the unauthorized party. This investigation confirmed that the unauthorized third party accessed files containing certain individuals’ personal information during this incident, including patients’ first and last names, addresses, dates of birth, Social Security numbers, health insurance information and medical treatment information.
On May 5, 2022, Professional Finance Company sent data breach letters to all affected patients, and, on June 30, 2022, Bayhealth filed official notice of the breach with the U.S. Department of Health and Human Services Office for Civil Rights.
Then, on July 5, 2022, Bayhealth posted notice of the breach on its website, in which the company notes that the breach impacted 17,481 Bayhealth patients.
Professional Finance Company explains that, aside from Bayhealth, there were approximately 650 other providers affected by the breach. It remains to be seen how many individuals in total were affected by the PFC data breach; however, given the scope of the breach, it is possible that it may be the largest healthcare data breach of 2022.
Bayhealth Medical Center, Inc. is a not-for-profit healthcare provider based in Dover, Delaware. Bayhealth is made up of Bayhealth Hospital, Kent Campus and Bayhealth Hospital, Sussex Campus, an Emergency Department in Smyrna, as well as numerous satellite facilities and physician practices covering a range of specialties. Bayhealth is affiliated with Penn Medicine for Heart and Vascular, Cancer and Orthopedics. Bayhealth Medical Center employs more than 4,000 people and generates approximately $587 million in annual revenue.
The PFC Data Breach May Be the Largest Healthcare Data Breach of 2022
According to the notice provided by Professional Finance Company, the recent breach affected patients at more than 650 providers across the country. While many of these providers have not yet filed notice of the breach, Bayhealth reports that the information of over 17,000 patients was compromised. This could mean that, collectively, the PFC data breach is the largest healthcare data so far this year.
The Bayhealth/PFC data breach is what is known as a third-party data breach because hackers obtained consumer information not from the company that originally received the data from consumers but from a third-party vendor. As companies begin to outsource more critical functions of their businesses, third-party data breaches have become more common.
These breaches also raise complex questions when it comes to liability. As a general rule, a third-party vendor, such as PFC, owes the same duty to consumers as the company that accepts the data directly from the consumers. Thus, depending on the outcome of the PFC data breach investigation, PFC could be liable to Bayhealth patients for any damages stemming from the incident.
