Breach Notification , Cybercrime , Fraud Management & Cybercrime

Air-Ground Ambulance Firm Tells 858,000 of Hack 1 Year Ago

It's the Latest Hack Reported in Recent Weeks by an Ambulance Services Provider
Air-Ground Ambulance Firm Tells 858,000 of Hack 1 Year Ago
Superior Air-Ground Ambulance Service is notifying more than 858,000 people of a 2023 hack that compromised their data. (Image: Superior Air-Ground Ambulance)

An Illinois-based air-ground ambulance company is notifying more than 858,000 individuals that their sensitive information was compromised in a hacking incident that happened about a year ago. The breach is the latest hack on an ambulance company reported to regulators in recent weeks.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

Superior Air-Ground Ambulance Service filed a report on May 10 to the U.S. Department of Health and Human Services saying that the 2023 hacking incident involved a network server and affected 858,238 individuals.

The company's breach notice says that in May 2023, Superior learned of "unusual activity" within its computer systems. "Superior promptly took steps to secure the system and began a comprehensive investigation to confirm the full nature, scope and impact of the event," the company said.

About a month later, on June 23, 2023, the company's investigation determined that an unauthorized actor copied certain files from its network between May 15, 2023, and May 23, 2023.

"Superior subsequently worked to undertake a comprehensive and time-intensive review of the affected files to identify and catalogue what information was present and to whom that information relates," the company said. "Superior then worked to determine contact information for those individuals. Superior is now taking steps to notify potentially affected individuals of this event."

The information contained in the affected files varies by individual but may include name, address, birthdate, Social Security numbers, driver's license or state identification number, financial account information, payment card information, patient record information, medical diagnosis or condition information, medical treatment information, and health insurance information, Superior said.

Under the HIPAA breach notification rule, covered entities are supposed to notify HHS "without unreasonable delay and in no case later than 60 days" following a breach affecting 500 or more individuals. And for HIPAA breaches of any size, individual notifications must be provided no later than 60 days following the discovery of a breach.

"Superior's 60-day clock started on June 23, 2023," said regulatory attorney Paul Hales of the Hales Law Group. "The 60-day window may be lengthened only at the direction of law enforcement investigating criminal activity or a threat to national security. We do not - and would not - know now if that caused Superior to delay notification."

Superior Air-Ground did not immediately respond to Information Security Media Group's request for additional details about the hacking incident, including explanation for why it took the company about a year to report the breach to regulators and notify affected individuals.

Elmhurst, Illinois-based Superior Air-Ground has 3,000 employees and provides emergency medical services - including paramedics, rescue divers, ambulances, medical flights and emergency medical equipment - in five Midwest states.

Special Challenges?

Superior Air-Land is not the only ambulance company to report a hacking incident to federal regulators this month.

On May 7, DocGo, which provides mobile medical and transportation services in the U.S. and the United Kingdom, reported to the U.S Securities and Exchange Commission that it "recently" identified a cybersecurity incident involving some of its systems. The filing does not give the date the incident was discovered.

DocGo told the SEC that the company's investigation so far had determined that a threat actor accessed and acquired data, including certain protected health information, from a limited number of healthcare records within the firm's U.S.-based ambulance transportation business, and that no other business lines have been involved.

As of Thursday, the company appeared to have not yet reported a HIPAA breach to HHS' Office for Civil Rights. DocGo did not immediately respond to ISMG's request for additional details about its cyber incident, including the approximate number of affected individuals and type of information potentially compromised.

Despite the scant details made public so far, DocGo is already facing at least one proposed federal class action lawsuit related to its cybersecurity incident.

In a complaint filed on May 9 in the U.S. District Court for the Southern District of New York, former DocGo patient David Manuel, on behalf of himself and others similarly situated, alleged among other claims that the company was negligent because it failed to protect sensitive personal and health information of patients.

The lawsuit seeks financial damages, extended identity and credit monitoring for the plaintiff and class members, and injunctive relief that requires DocGo to improve its data security practices.

Class action law firms are already circling in on the Superior Air-Ground Ambulance breach.

By Thursday, several law firms, including Lynch Carpenter LLP, Wolf Haldenstein Adler Freeman & Herz LLP and Murphy Law Firm had each issued a public statement saying that their firms are investigating claims against the ambulance company related to its data breach.

In general, companies that specialize in mobile medical emergency services often face challenges not encountered by brick-and-mortar healthcare providers, Hales said.

"Ambulance companies operate in the field, not in controlled settings like a hospital," said Hales, who is not involved in the potential class action litigation against Superior or the case involving DocGo.

"That calls for special HIPAA compliance training," he said. "Think of EMT/EMS personnel as healthcare special forces. Superior's investigation should identify the malware source and procedures to reduce the likelihood of a reoccurrence," he said.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.