Cyber Incident Victim: Professional Finance Company Inc.
Date:
Feb 2022
Location:
United States of America
Summary
A ransomware attack targeted Professional Finance Company Inc., a financial services provider for healthcare and other sectors, compromising data from over 600 healthcare organizations. The Quantum ransomware group, linked to Conti cybercrime affiliates, used Cobalt Strike for network infiltration and exfiltrated sensitive patient information including names, addresses, financial details, and in some cases Social Security numbers, birth dates, and medical treatment data. The breach prompted notifications to affected individuals with offers of credit monitoring services. Attackers employed command-line tools for data theft prior to encrypting systems, leveraging infrastructure associated with the Quantum operation, which emerged from earlier rebranded ransomware variants like MountLocker.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 23, 2022, Professional Finance Company Inc. (PFC), a Colorado-based accounts receivables management firm servicing healthcare, government, and utility sectors, experienced a ransomware attack that compromised sensitive data across its systems. The attackers gained unauthorized access to files containing personal information before encrypting portions of PFC's infrastructure. An investigation initiated following the breach confirmed the attackers exfiltrated patient data from over 657 healthcare organizations that partnered with PFC for billing and collections services. The compromised information included patients' full names, addresses, accounts receivable balances, and payment histories. For a subset of individuals, exposed records also contained dates of birth, Social Security numbers, health insurance details, and medical treatment information. PFC began notifying affected healthcare providers on May 5, 2022, with patient notification letters mailed subsequently. The company offered impacted individuals complimentary credit monitoring and identity theft protection services through Cyberscout but did not disclose the total number of affected patients or the specific technical systems compromised.
Cybersecurity firm AdvIntel attributed the attack to operators linked to the Quantum ransomware group, a rebranded faction of the Conti cybercrime syndicate. According to AdvIntel CEO Vitali Kremez, their Andariel threat detection platform identified Cobalt Strike infrastructure activity on February 23, 2022, coinciding with the attackers' lateral movement within PFC's network. The threat actors used command-line tools to exfiltrate data prior to deploying ransomware encryption. Quantum ransomware emerged in August 2021 as a rebrand of the MountLocker operation, historically associated with multiple name changes including AstroLocker and XingLocker. The Conti affiliation was further corroborated by reports indicating Conti members migrated to Quantum operations following Conti's disbandment, part of a broader trend where Conti actors infiltrated other ransomware groups like Hive and BlackCat. The breach disrupted PFC's services to healthcare providers nationwide, necessitating forensic investigations and regulatory notifications spanning three months before public disclosure on July 7, 2022. No ransomware payment demands or encryption details were disclosed by PFC in available reporting.