Receivables Performance Management (RPM), a business associate to a number of businesses, including those in the healthcare sector, has been notifying regulators and individuals bout an incident in 2021 that reportedly impacted more than half a million Texans and an as-yet untold total number of individuals.
The Washington state entity revealed that on May 12, 2021, they became aware of an incident that was determined to be a ransomware attack. The threat actors had gained access on April 8, but the ransomware was not launched until May 12. RPM immediately disconnected all equipment and began efforts to restore systems.
“Immediately following the incident and over a 36-hour time frame, RPM rebuilt its shared servers from the ground up and removed and re-installed all collection and dialing software on all equipment. RPM also retained a forensic investigation firm to determine the nature of the security compromise and identify any individuals whose information may have been compromised,” RPM writes. It took them until October 2, 2022, they write, to conclude their investigation into what kinds of information and who was possibly affected.
Their notification also stated that they “also obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident.”
So what does that mean? That they paid ransom? If so, why didn’t they just say that clearly?
A template copy of their notification can be found on the California Attorney General’s web site.
The incident has already resulted in at least one potential class action lawsuit.
RPM provides a variety of services to its clients, including debt collection.