The Professional Finance Company (PFC) data breach class action settlement provides compensation to thousands of individuals whose personal information was compromised in a 2022 ransomware attack. A $2.5 million settlement was reached to compensate class members who had their data exposed, with eligible individuals able to recover up to $500 for documented losses related to identity theft or fraud prevention. For example, if you paid for credit monitoring services or had fraudulent charges resulting from the breach, you can file a claim to recover those expenses.
The settlement represents one approach to addressing the growing problem of healthcare-adjacent data breaches. Professional Finance Company served as a financial processor for healthcare organizations, meaning the breach potentially exposed sensitive information belonging to patients across multiple medical providers. The court preliminarily approved the settlement in October 2024, and the final approval hearing is scheduled for April 17, 2025. If you believe you were affected by this breach, understanding the claims process and deadlines is critical since the claim filing deadline was February 12, 2025.
Table of Contents
- How Did the Professional Finance Company Data Breach Happen?
- Understanding the Settlement Amount and Compensation Structure
- What Information Was Compromised in the Breach?
- How to File a Claim and Meet Deadlines
- Identity Theft Risks Following the PFC Breach
- The Role of Final Approval and Class Member Verification
- Data Breach Settlements and What They Mean Going Forward
- Conclusion
How Did the Professional Finance Company Data Breach Happen?
The data breach occurred in February 2022 when Professional Finance Company discovered a Quantum ransomware attack had gained unauthorized access to its systems. The attack exposed files containing personal information of individuals that PFC’s clients—primarily healthcare organizations—had used their services to work with. Unlike some breaches that stem from outdated security practices, this attack was a deliberate criminal operation involving ransomware, a type of malicious software designed to lock access to data and demand payment for its return.
The scope of the breach was significant because PFC’s client list included many healthcare organizations, which meant the exposed data potentially affected a broad swath of patients. When ransomware actors breach healthcare-adjacent companies, they often gain access to more than just financial records; they may access contact information, Social Security numbers, and health-related data. This is why the settlement specifically compensates individuals whose Social Security numbers were exposed, recognizing that SSN theft poses particular risks for identity fraud that can take years to fully resolve.
Understanding the Settlement Amount and Compensation Structure
The $2.5 million settlement was distributed among eligible class members, though not everyone who was affected receives the same amount. The compensation structure reflects different levels of exposure and impact. Class members whose Social Security numbers were exposed could receive up to $500 for unreimbursed losses directly caused by the breach, including charges for fraud monitoring, credit repair services, credit freeze fees, or documented identity theft losses. This compensation model differs from some settlements where affected individuals receive a flat payment regardless of actual harm incurred.
A limitation of this settlement is that it only covers documented, unreimbursed losses—you must provide evidence that you incurred expenses specifically related to the breach. If you noticed fraudulent charges but your bank reimbursed them automatically, you may need documentation showing what you paid out of pocket. Additionally, the $500 cap means that individuals who experienced substantial identity theft may find the maximum compensation insufficient to cover all losses. California residents received an additional benefit: those whose SSNs were impacted could elect to receive an extra $50 payment, acknowledging California’s stricter data breach notification laws and privacy protections.
What Information Was Compromised in the Breach?
The Professional Finance Company breach exposed files containing personal information used by their healthcare client organizations. The specific data elements exposed included names, contact information, and Social Security numbers for many individuals. Because PFC processed financial information for healthcare providers, the breach potentially touched people who had been patients at multiple medical facilities. This differs from a typical medical records breach, where exposure is usually limited to one provider’s patient base.
The timing of the breach discovery—February 2022—is significant because it represents when the ransomware attack was detected and stopped, not necessarily when unauthorized access first occurred. Ransomware attacks often persist undetected for weeks or months before being discovered. In the Professional Finance Company case, the attack was stopped relatively quickly, but not before sensitive data had been accessed. The company subsequently notified affected individuals and regulators about the breach, leading to the class action lawsuit.
How to File a Claim and Meet Deadlines
Filing a claim in the Professional Finance Company settlement requires submitting documentation of your losses within the established timeframe. The critical deadline was February 12, 2025—any valid claim forms had to be received by this date to be eligible for compensation. If you missed this deadline, you may still be able to file a late claim, but such claims face stricter review and are often denied unless you can demonstrate extraordinary circumstances for the delay.
To file your claim, you needed to provide evidence of unreimbursed losses caused by the breach, such as receipts for credit monitoring services, documentation of fraudulent charges, credit repair invoices, or proof of credit freeze/unfreeze fees. The tradeoff of this documentation requirement is that it protects the settlement fund from frivolous claims, but it also creates a barrier for people who don’t have organized records. If your credit card company or bank reimbursed fraudulent charges without your direct out-of-pocket payment, you generally cannot recover that loss through the settlement, even though you experienced the inconvenience and potential credit impact.
Identity Theft Risks Following the PFC Breach
When a data breach exposes Social Security numbers, the risk of identity theft extends far beyond the immediate aftermath of the breach. Social Security numbers can be used to open fraudulent credit accounts, obtain loans, or file fraudulent tax returns—sometimes years after the initial compromise. A significant warning: even if you don’t see fraudulent activity within the first year following the breach notification, you should continue monitoring your credit reports and consider placing a fraud alert or credit freeze with the major credit bureaus.
The Professional Finance Company settlement’s compensation for identity theft services acknowledges this extended risk window. However, the settlement only covers documented losses, not the cost of ongoing credit monitoring. If you choose to subscribe to credit monitoring for several years following the breach—a reasonable precaution when your SSN is compromised—the settlement may only cover the initial service if it was obtained as a response to the breach. This means you may face ongoing expenses for credit protection that exceed what the settlement reimburses.
The Role of Final Approval and Class Member Verification
The settlement’s final approval hearing scheduled for April 17, 2025 represents the court’s last opportunity to evaluate whether the settlement is fair, reasonable, and adequate before distributing funds to class members. During this hearing, the judge reviews claims, considers objections from class members, and approves or modifies the distribution plan. Final approval is not automatic; if the court finds problems with the settlement administration or identifies significant discrepancies in claims, it can delay or modify the final distribution.
After final approval, the settlement administrator begins verifying claims and processing distributions. Class members who filed valid claims by the February 12, 2025 deadline would receive checks or other compensation methods as determined by the court. The verification process typically takes several months, so recipients should not expect immediate payment even after final approval.
Data Breach Settlements and What They Mean Going Forward
The Professional Finance Company settlement is part of a broader pattern of healthcare and healthcare-adjacent companies reaching settlements with consumers over data breaches. As more organizations process sensitive health and financial information, the frequency of breaches appears likely to continue. Settlements like this one establish the precedent that companies will face financial consequences for inadequate security measures, though critics argue that settlement amounts often represent a small fraction of companies’ revenues and may not create sufficient incentive for enhanced security spending.
Looking forward, healthcare-adjacent companies are under increasing pressure from regulators and from consumers to implement stronger cybersecurity controls. The breach notification laws that created visibility around this incident have also become more stringent, particularly in states like California, which is why California residents received enhanced settlement benefits. For consumers, the lesson is that data breaches affecting healthcare organizations—even indirect ones—warrant careful attention to credit monitoring and claim deadlines.
Conclusion
The Professional Finance Company data breach settlement offers compensation to individuals affected by a 2022 ransomware attack that exposed personal information including Social Security numbers. With a $2.5 million settlement providing up to $500 for documented losses, plus an additional $50 for eligible California residents, the class action represents an opportunity to recover specific expenses incurred as a result of the breach.
However, the February 12, 2025 claim deadline has already passed, meaning new claims are unlikely to be accepted. If you believe you were affected by the Professional Finance Company breach and missed the initial deadline, contact the settlement administrator to inquire about late claim procedures or consult with a consumer rights attorney about your options. Regardless of settlement eligibility, individuals whose SSNs were compromised should maintain vigilant credit monitoring and consider placing fraud alerts or credit freezes with the major credit bureaus—protections that can help prevent identity theft even years after a breach occurs.