Breach Notification , Fraud Management & Cybercrime , Healthcare

Daixin Gang Threatening to Leak 10 Million Ambulance Records

Data Theft Is Latest Cyberattack on an Emergency Medical Services Provider
Daixin Gang Threatening to Leak 10 Million Ambulance Records
Ransomware gang Daixin claims to have stolen 10 million patient records from Louisiana-based Acadian Ambulance. (Image: Acadian)

Ransomware group Daixin is threatening to leak sensitive medical information of 10 million patients on the dark web. The group claims to have stolen the data in an attack on Louisiana-based Acadian Ambulance - the latest in a string of incidents targeting emergency medical services.

See Also: 57 Tips to Secure Your Organization

Acadian Ambulance, which has been operating since 1971 and provides services to 24 million residents in 70 parishes and counties of Louisiana, Mississippi, Tennessee and Texas, discovered the incident in late June, the company said in a statement provided Wednesday to Information Security Media Group.

"Acadian’s IT department observed unexpected activity within our network that disrupted the operability of certain computer systems," Acadian said. "Upon discovering the activity, our team responded quickly and strategically to lock down systems to prevent any further unauthorized activity and activated backup and redundancy systems to prevent disruption to patient care."

While these steps helped Acadian continue operating without hurting patient care, the investigation into the incident determined that threat actors accessed a server containing patients' protected health information, the company said.

"Acadian is working quickly and diligently to identify and notify impacted individuals and will follow all other regulatory and notification requirements resulting from this incident," the company said.

Millions of Patients Potentially Affected

Based on tables that appeared on Daixin's leak site on Wednesday, the stolen Acadian data includes a database containing more than 11 million rows of patient records, including patient histories and cases involving suspected drug use, as well as more than 28,000 rows of employee information.

Daixin this week told media site DataBreaches.net that the information pertains to 11 million people but that 10 million appear to be unique individuals.

Daixin also said the gang demanded a $7 million ransom but after weeks of negotiating, Acadian claimed it could only pay less than $173,000. As of Tuesday, no ransom appears to have been paid, according to DataBreaches.net.

An Acadian spokesman declined ISMG's request for comment on Daixin's claims and for additional details about the incident.

Federal authorities issued a joint alert warning about Daixin Team in October 2022. The group was actively targeting U.S. businesses, predominantly in the healthcare and public health sector, according to the alert issued by the FBI, Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services (see: Security Alert: Daixin Ransomware Targets Healthcare).

As of Wednesday, dark web monitoring firm DarkFeed.io said Daixin has a total of 16 victims.

Some of the apparent healthcare sector victims are TransForm Shared Service Organization and the Ontario regional hospitals to which it provides shared IT services - Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital.

The organizations were attacked last October and struggled for many weeks to regain functionality of many critical IT systems, including electronic health records (see: Ontario Hospitals Expect Monthlong Ransomware Recovery).

Attractive Targets

The ransomware attack and data theft at Acadian is the latest in a series of hacks against ambulance companies and other emergency medical response providers in recent months.

In May, Illinois-based Superior Air-Ground Ambulance Service reported to the U.S. Department of Health and Human Services that a 2023 hacking incident affected more than 858,000 individuals (see: Air-Ground Ambulance Firm Tells 858,000 of Hack 1 Year Ago).

Also in May, DocGo, which provides mobile medical and transportation services in the U.S. and the United Kingdom, reported to the U.S. Securities and Exchange Commission that it had "recently" identified a cybersecurity incident involving some of its systems.

DocGo's SEC filing did not give the date the incident was discovered but said the company determined that the threat actor accessed and acquired data, including certain protected health information, from a limited number of healthcare records within the firm's U.S.-based ambulance transportation business.

As of Wednesday, DocGo does not yet appear to have reported a data breach to state or federal regulators (see: Hacking of DocGo Ambulance Service Exposes Patient Data).

"Ambulance companies have a combination of monetizable data, criticality - such that they cannot withstand any down time - and are apparently less protected than typical covered entities in healthcare," said Mike Hamilton, founder and CISO of security firm Critical Insight.

"These organizations operate in field and mobile settings and not in the enclosed confines of a hospital or clinic. Data must be made available in the field, and methods for making data available to arbitrary locations can be tricky in terms of access control," he said. "Mistakes made and vulnerabilities introduced have been discovered by criminals, and ambulance companies are being targeted as high-probability payouts."

Data housed by ambulance companies can include many sensitive details about individuals, including history of drug overdose, domestic violence, driving under the influence and other information that the patients and victims would not want exposed, according to Hamilton.

"Failure to pay the extortion demand will cause the criminals to make the information public, which puts those patients and victims at elevated risk of not only identity theft and other acts of fraud, but also individual extortion," he said.

Privacy statutes in California and elsewhere have established a private right of action, and the public release of stolen records often results in litigation, making these public leaks "especially pernicious," Hamilton added.

"Ambulance companies would do well to review the investments made in cybersecurity controls, with a focus on detection and response," he said, adding that minimizing the impact of a potential cyber incident should be a top goal for these firms. "Catching an incident in its initial stages and providing rapid and effective response can turn something that had the potential to be catastrophic into a routine cleanup."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.