-
Cybercriminals exposed the personal and medical data belonging to over 237,000 patients after carrying out a ransomware attack on Bell Ambulance service based in the US.
-
The Medusa ransomware group revealed being responsible for the attacks and demanded $400,000 to stop them from releasing approximately 219 GB of the patient’s data.
-
Some of the data criminals stole in the attack include medical records, financial data, Social Security numbers, and details of people’s driver license.
Cybercriminals have taken hold of the personal information belonging to many patients who have used Bell Ambulance, for one medical emergency or another.
Bell Ambulance offices are in Wisconsin and it serves many purposes to clients, which include giving them paramedic care, using its ambulance to transport patients, and supporting patients in one emergency or the other.
Any community where there is a need to transfer patients from one facility to another, Bell Ambulance is the go-to company for that. Also, during cases of emergencies in any medical situation, the company brings its transport facilities to handle it to make sure the patients get the right and fast treatment when they need it.
A cyberattack against the ambulance service provider in 2025 led to the loss of sensitive data of 237,830 individuals. Earlier in February 2025, the company discovered that there was some suspicious activity in its network and kickstarted an investigation immediately.
The investigation revealed that cybercriminals have stolen both personally identifiable information (PII) & PHI (Protected Health Information) of its clients.
Medusa Ransomware Claims Responsibility for the Attack
In a report VenariX shared on X about the incident, cybercriminal group Medusa announced it was responsible for the data breach on Bell Ambulance.
In the announcement of March 2025, Medusa listed the company on its leak site and demanded a ransom of $400,000 or else it would make the 219 GB of data belonging to Bell’s clients public.
Medusa is a popular bad actor that targets critical infrastructure organizations, the education sector and healthcare. It mainly goes for the sector that suffers serious issues with a little service disruption.
The group achieves its financial goals with its ransomware-as-a-service (RaaS) operation. It allows affiliates to carry out attacks using the ransomware it owns and afterwards shares the profits with the perpetrators.
In the case of Bell Ambulance, the cybercriminals followed the same approach that many ransomware campaigns have used in recent times. First, they gained access to the organization’s network & gatheredthousands of sensitive pieces of information before pushing for the ransom payment.
With the threat of leaking the data publicly, ransomware groups aim to mount pressure on their victims so they will pay the ransom. According to reports, the Medusa group exposed the data because Bell Ambulance didn’t pay the ransom they demanded.
This exposure adds to the growing trove of healthcare data circulating on the dark web, including patient records from the Doctor Alliance breach, where criminals can purchase medical histories, insurance details, and personal identifiers for use in fraud schemes.
What Data was Exposed and How the Company Responded
The Bell Ambulance data breach exposed a lot of sensitive personal & medical information belonging to patients who at one time used the company’s emergency transport & healthcare services.
According to the letters the company sent out about the breach, the criminals stole patients’ names, dates of birth, details of client driver’s license details, Social Security numbers, information about their financial account, medical records, & health insurance data.
The filing with the Attorney General of Maine also confirmed that the bad actors had gone away with this sensitive and private information. Criminals usually don’t joke with this kind of information because they could use it to steal people’s identities, commit different kinds of fraud, medically or financially.
Notably, after they discovered that the bad actors had entered their network in February 2025, Bell Ambulance started looking inwards to find what went wrong. They also brought in people who know about such cases from outside to help them in the investigation and find out how much damage the thieves had done to them.
Afterwards, the company changed the old passwords to new ones and made their security controls stronger. They also used more tools to boost their network, so such access won’t happen again.
Bell Ambulance also sent out notifications to its clients who lost their information in the breach and even offered free credit monitoring & identity protection services for a set time. However, experts advise individuals to remain watchful against phishing attempts, suspicious financial activities, and frauds with their identity.
Notably, Federal Law enforcement agencies also issued advisories about Medusa’s tactics in March 2025, encouraging organizations to implement the recommendations they shared on how to mitigate the attacks by Medusa.
