Revenue cycle and collections vendors manage sensitive personal and financial information, and at times healthcare-related information, for their clients. These organizations have a critical role in account recovery or management of financial assets, and they are increasingly targeted by cybercriminals. The combination of high value information and closely designed IT systems attracts attackers eager to obtain personal information or achieve financial gain. 

Recently, Wakefield & Associates, LLC reported a Data Breach of personal information, which included Social Security numbers, financial information, and personal identification related to some of its clients. While the breach only impacted a certain number of clients, it illustrated the vulnerabilities that exist in the revenue cycle and collection industry as a whole. 

Why Collections Firms are Protecting High Value Data

Collections firms maintain detailed financial history, account information, and personal identifiers for many individuals. As a result, the potential exists for collections and receivables databases to contain valuable information for identity thieves, fraudsters, and ransomware threat actors. Unlike consumer data databases that may only contain partial data for an individual, collections firms store fully integrated information that can be used to obtain immediate financial benefit.

Many of these companies also function across multiple clients as well as across sectors like health care. When finance-based and sensitive health data are intermixed, regulatory risk rises and harm to affected individuals from a breach is more likely.

Challenges in Cybersecurity

There are a number of factors that elevate risk in revenue cycle and collections firms:

Reliance on Third-Party Providers: Typically, these firms rely on cloud providers, vendors, and integrated software platforms. If one of those external providers has a security incident, it creates potential risk for their entire system.

Use of Legacy Systems: This sector often utilizes older IT architecture that supports neither today's security protocols, nor advanced automated monitoring capabilities.

Access to Sensitive Data by Employees: The work often involves high volumes of sensitive data on a regular or daily basis, heightening the risk of a security breach if employee credentials are compromised.

Consumer Impacts

A cyber incident at a collections agency will trigger significant impacts for clients and consumers, including:

• Identity theft, fraud, or unauthorized transactions on accounts
• Delays in timely resolution of financial disputes or account reconciliations
• Loss of confidence in the institutions managing sensitive information

The impact can be even more substantial for clients and consumers if their personal and financial data is associated with healthcare records or cooperative financial accounts that have limited options for recovery.

Risk Mitigation

Revenue cycle and collections agencies need to consider cybersecurity risk through these layers:

• Adoption of zero-trust architecture
• Ongoing vendor assessments
• Encryption of sensitive data at rest and in transit
• Regular employee training on phishing and credential safety
• Frequent penetration testing and risk assessments

For clients and consumers, vigilance by monitoring accounts, setting fraud notifications, and validating notification requirements from service providers is prudent.

Conclusions 

The Wakefield & Associates cyber incident confirms that data exposure for revenue cycle and collections agencies is not a worst-case scenario of hypothetical situation, it is an ongoing reality. It is imperative that as cybercriminals improve their attacks, agencies and the clients and consumers they serve, must take an active role in protecting their sensitive information. Meaningful security tools, and practices, transparent business practices, and consumer awareness, will assist in minimizing loss and rebuilding trust in an industry that provides valuable service.