Breach Notification , Fraud Management & Cybercrime , Healthcare
Acadian Ambulance Notifying Nearly 3 Million of Data Theft
Ransomware Gang Daixin Claims It Published Sensitive Patient Info on Dark Web SiteA Louisiana-based ambulance company that provides emergency medical care services in four states is notifying nearly 3 million people that their sensitive health information was potentially stolen in a June hack. Ransomware gang Daixin claims to have published the data on its dark web leak site.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Acadian Ambulance Service in a breach notice said the incident affects the information of current and former patients, including names, addresses, Social Security numbers, birthdates and medical information collected during the patient intake process. Not all individuals had the same information affected, the statement said.
The company reported the hacking incident to the U.S. Department of Health and Human Services on Aug. 20 as affecting 2.89 million individuals and involving a network server.
Acadian Ambulance, which has been operating since 1971, provides emergency and nonemergency medical care to more than 21 million residents across a 62,000-square-mile region in Louisiana, Mississippi, Tennessee and Texas. The company says its fleet of 500 ambulances and med flight helicopters transports about 600,000 patients annually and travels 38 million miles each year.
In its breach statement, Acadian Ambulance said that on or around June 21, it became aware of suspicious activity relating to certain systems within its network. "Acadian immediately took steps to secure our systems and launched an investigation with the assistance of third-party computer specialists to confirm the full nature and scope of the activity and to restore functionality to the affected systems."
The company's investigation found that the unauthorized access to Acadian's network occurred between June 19 and 21 "and that certain files and folders were or may have been taken without authorization during that time."
Daixin on its dark web leak site claims to have published sensitive information pertaining to 10 million Acadian Ambulance patients, including records involving patient case histories, "suspected drug use," and physician "care point" documentation. The leak site also lists files allegedly pertaining to Acadian employees.
In July, Daixin claimed it had demanded a $7 million ransom from Acadian but that after weeks of negotiating, the company claimed it could only pay less than $173,000, according to DataBreaches.net (see: Daixin Gang Threatening to Leak 10 Million Ambulance Records).
Acadian Ambulance declined Information Security Media Group's request for additional details about the incident, including comment on Daixin's claims.
Acadian Ambulance in a statement to ISMG said it aware of the "perpetrators'" claims about the attack and added, "We believe the number of affected persons is much less than reported."
As of Monday, Acadian Ambulance is facing at least 10 proposed federal class action lawsuits filed against the company related to the data breach.
Among other claims, the lawsuits - which seek financial damages and a court order for Acadian to improve its data security practices - allege the company was negligent in failing to institute adequate protective security measures to safeguard plaintiffs' and class members' sensitive personal information.
As a result, those individuals are at risk for identity theft and fraud crimes, the lawsuits allege.
In its breach notice, Acadian said it has no evidence that any affected information has been used to commit identity theft or fraud. The company is offering affected individuals complimentary identity and credit monitoring services.
Acadian also reported the incident to federal law enforcement.
"Acadian is reviewing its policies, procedures and processes to reduce the likelihood of a similar future event."
Daixin was the subject of a joint alert from federal authorities warning about Daixin Team in October 2022.
The group has been actively targeting U.S. businesses, predominantly in the healthcare and public health sector, according to the alert issued by the FBI, the Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services (see: Security Alert: Daixin Ransomware Targets Healthcare).
Daixin on its dark web site also lists several Ontario-area hospitals - Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital - among its healthcare sector victims (see: Ontario Hospitals Expect Monthlong Ransomware Recovery).