(July 1, 2022)

UCHealth was recently informed by Professional Finance Company (PFC), a third-party billing company, of a security incident that impacted data held by the company on its servers. PFC is an accounts receivable management company providing debt recovery services located in Greeley, Colorado. PFC serves local northern Colorado clients as well as clients throughout the country. Some UCHealth locations utilized PFC.

PFC experienced a network security issue involving ransomware in 2022 in which an unauthorized 3rd party accessed and disabled some of PFC’s computer systems. When PFC discovered the issue, they immediately disconnected the affected systems and engaged third-party forensic specialists to assist with securing the network and investigating the activity. Data from some UCHealth patients was on the PFC computer systems and may have been included in this data breach, though UCHealth’s systems were not affected.

Individuals’ first and last name, address, accounts receivable balance/payment information, and one or both of date of birth (DOB) and Social Security number (SSN) were potentially impacted in the incident. No patient medical or financial (e.g. credit card/banking) information was impacted. UCHealth’s electronic medical record and patients’ medical records on our systems were not impacted.

PFC is notifying all individuals who may be impacted.

UCHealth values its patients, and protecting their data is a top priority. Though we have no reason to believe the PFC impacted data went beyond the cybercriminal or was misused in any way, we are sharing this security incident so patients may protect themselves by watching for any suspicious activity or possible identity theft. Additional information regarding steps that can be taken to protect from identity theft can be found in the notice affected individuals receive in the mail, or by clicking on the link below.

We apologize for the concern and inconvenience this data breach may cause, and we remain committed to safeguarding our patients’ information.

PFC has taken additional steps to protect data and prevent this type of attack from happening again.

For more information, please see PFC security incident.