238,000 Reasons Emergency Services Can't Ignore Ransomware

The Medusa ransomware group spent seven days inside Bell Ambulance's network before anyone noticed. By the time forensic investigators were finished — a full year later — 237,830 people learned that their Social Security numbers, medical records, and financial data had been sitting on a criminal leak site for months.

When people think of ransomware targeting healthcare, hospitals dominate the conversation. But this breach underscores a pattern that security researchers have flagged repeatedly: emergency medical services providers are equally exposed, often less defended, and hold data that is just as sensitive. The Bell Ambulance incident is not just a Wisconsin story. It is a case study in what happens when a critical infrastructure organization underestimates its threat surface, encounters a sophisticated ransomware-as-a-serviceA criminal business model where ransomware developers lease their malware and infrastructure to affiliate attackers, splitting ransom proceeds. The developers handle tooling; affiliates run the intrusions. operation, and takes over a year to fully understand the scope of what was stolen.

Who Is Bell Ambulance?

Bell Ambulance, Inc. is headquartered in Milwaukee, Wisconsin, and holds the distinction of being the largest private ambulance provider in the state. The organization serves communities across a wide corridor of southeastern Wisconsin, with stations in Milwaukee, Wauwatosa, Waukesha, Racine, Mount Pleasant, Kenosha, and surrounding cities. Its more than 750 employees respond to roughly 140,000 ambulance calls per year, handling everything from emergency trauma response to routine interfacility patient transfers and non-emergency transport.

That operational scale matters in understanding the breach. Every patient transported, every billing interaction, and every insurance claim processed generates protected health informationAny individually identifiable health information held or transmitted by a HIPAA-covered entity or its business associates — including names, SSNs, medical records, and insurance data linked to a specific person.. By the nature of what they do, EMS providers accumulate layered data portfolios: not just contact information, but dates of service, conditions treated in the field, medication histories, insurance coverage details, and financial account information tied to billing. When an attacker gains access to an EMS provider's systems, they are not just sitting inside a computer network. They are sitting inside one of the most sensitive data environments in the healthcare sector.

The Attack: A Year-Long Investigation

Bell Ambulance detected unauthorized activity on its computer network on February 13, 2025. The company immediately retained third-party forensic specialists to determine what had happened and how far the intrusion had reached. Subsequent investigation confirmed that the attackers had accessed the network between February 7 and February 14, 2025 — a seven-day window that passed entirely undetected until the final day.

According to Bell Ambulance's breach notification letter submitted to the Maine Attorney General's Office, the company stated it became aware of "unauthorized activity" on February 13, 2025, immediately retained third-party forensic specialists, and confirmed that an unauthorized individual had accessed data within its network.

The organization sent initial notification letters to approximately 114,000 people it could identify on April 18, 2025 — while the data review was still ongoing. By the time the investigation formally concluded on February 20, 2026, Bell notified the Maine Attorney General that the total number of affected individuals had grown to 237,830. The final scope was more than double the initial estimate.

The data stolen included first and last names, dates of birth, Social Security numbers, driver's license numbers, financial account information, medical information, and health insurance data — essentially the complete identity and health profile of everyone whose records were on the affected systems at the time of the intrusion.

Bell Ambulance responded by resetting passwords across its systems, hardening its network, and offering affected individuals up to 12 or 24 months of complimentary credit monitoring and identity protection services through IDX. The company stated in its notifications that it was unaware of confirmed misuse of the data at the time of disclosure — a standard legal qualifier that carries less reassurance than it might appear, given that Medusa had already published the stolen data on its leak site months earlier.

Who Is the Medusa Ransomware Group?

The group that claimed responsibility for this attack — Medusa — is not a small-time criminal operation. It is a sophisticated, well-organized ransomware-as-a-service (RaaS)A criminal business model where developers lease malware and infrastructure to affiliates in exchange for a cut of ransom proceeds. Medusa's variant is notable for retaining centralized control over negotiations, even as it expanded to an affiliate model. platform that the FBI, CISA, and MS-ISAC jointly identified as a major threat to critical infrastructure in a formal advisory issued March 12, 2025 — one month after the Bell Ambulance breach.

John Riggi, the American Hospital Association's National Advisor for Cybersecurity and Risk, commented on the March 2025 CISA/FBI advisory by noting that Medusa has conducted high-impact attacks against hospitals that disrupted and delayed healthcare delivery, posing direct risks to patient and community safety. (AHA, March 2025)

According to the joint advisory, Medusa was first identified in June 2021 and originally operated as a closed ransomware variant — meaning all development and operations were controlled by the same group of actors. It later evolved into an affiliate model, but with a notable distinction: the core Medusa developers retained centralized control over ransom negotiations, even as they recruited outside actors to carry out attacks. The FBI advisory documented that initial access brokers (IABs)Cybercriminals who specialize in gaining unauthorized network access and selling that access to other threat actors — such as ransomware groups — rather than running attacks themselves. IABs are paid $100 to $1M per access point in Medusa's ecosystem. are paid between $100 and $1 million to provide entry points into victim networks, with some affiliates operating exclusively for Medusa.

As of February 2025, Medusa had impacted more than 300 victims across critical infrastructure sectors, with affected industries spanning medical, education, legal, insurance, technology, and manufacturing. By January 2026, that number had grown to more than 500 confirmed victims, according to analysis from Darktrace. Public-sector organizations have been among the hardest hit — as covered in the Clackamas County attack, Medusa has repeatedly targeted government and emergency services infrastructure using the same TTPs documented here.

How Medusa Operates: The Attack Chain

Medusa actors typically gain initial access through phishing campaigns and by exploiting unpatched software vulnerabilities. The CISA advisory specifically cited the ScreenConnect authentication bypass (CVE-2024-1709) and a Fortinet EMS SQL injection flaw as known entry points. Once inside a network, Medusa affiliates use living off the land (LoTL)An attack technique where threat actors use legitimate, pre-installed system tools — like PowerShell and WMI — rather than custom malware, making detection significantly harder since the activity resembles normal administrative behavior. techniques, blending their activity into normal system operations using legitimate tools such as PowerShell and Windows Management Instrumentation (WMI).

From there, the playbook is methodical: steal credentials using tools like Mimikatz, move laterally across the network using Remote Desktop Protocol (RDP), disable endpoint security software — sometimes via a technique called Bring Your Own Vulnerable Driver (BYOVD)Attackers load a legitimate but vulnerable device driver into the target system to exploit it at the kernel level — often specifically to disable endpoint security software that would otherwise block their activity. — and exfiltrate sensitive data before deploying the ransomware payload. Files encrypted by Medusa receive the .MEDUSA extension, and a ransom note titled !!!READ_ME_MEDUSA!!!.txt is dropped on compromised systems.

Medusa employs a double extortionA ransomware tactic where attackers both encrypt the victim's data (demanding payment for the decryption key) AND threaten to publicly release exfiltrated data if payment is not made — creating two separate levers of pressure. model: victims face both a demand to pay for the decryption key and a separate threat to publicly release the exfiltrated data if payment is not made. Victims are pressured to respond within 48 hours via a Tor-based live chat interface. If they do not respond — or refuse — Medusa publishes the stolen data on its dark web leak site, often selling it to additional buyers before the countdown timer expires.

In the Bell Ambulance case, Medusa claimed to have exfiltrated 219.5 GB of data and set a $400,000 ransom demand. The data was subsequently published on Medusa's leak site, strongly indicating Bell Ambulance did not pay. The publication of stolen data is not merely a shaming tactic — it transforms every individual whose records were in that dataset into an ongoing fraud risk, potentially for years.

Why EMS Providers Are a Prime Target

It would be tempting to frame this attack as an anomaly — a mid-sized ambulance company that happened to be in the wrong place at the wrong time. The data suggests otherwise. Emergency medical services providers sit at an intersection of operational pressures and data sensitivity that makes them structurally attractive to ransomware actors.

Consider the data profile alone. A single ambulance call can generate a record containing a patient's full name, date of birth, Social Security number (required for billing), insurance carrier, policy number, employer information, medical condition, medications administered, and financial account details for billing purposes. Multiply that by 140,000 calls per year and you have a data environment that rivals a regional hospital in terms of sheer identity exposure — often with fewer dedicated security resources.

The healthcare sector at large has been absorbing escalating ransomware pressure for years. According to HIPAA Journal's ongoing breach statistics, hacking accounted for more than 80% of large healthcare data breaches reported to HHS in recent years, and ransomware attacks in healthcare surged 278% between 2018 and 2023. In 2025, ransomware attacks against medical practices rose an additional 36% year-over-year in the latter half of the year, with breach costs averaging nearly $10 million per incident when phishing is involved, according to IBM's 2024 Cost of a Data Breach Report.

Emergency medical providers also carry a specific operational vulnerability that hospitals share but that is perhaps even more acute for EMS: the cost of downtime is measured in human lives. When a ransomware group encrypts a hospital's systems, administrators face the pressure of choosing between paying a criminal organization or watching patient care degrade. For an ambulance dispatch network, the calculus is even sharper. Any disruption to CAD (computer-aided dispatch)The software system that manages ambulance dispatch, routing, and crew coordination. If encrypted by ransomware, this can halt or severely delay emergency response — making it the highest-leverage target in an EMS attack. systems, patient record access, or communications infrastructure has immediate consequences in the field. Ransomware groups understand this leverage and use it deliberately.

Bell Ambulance was not the first EMS provider hit. In June 2024, Acadian Ambulance Service in Louisiana was struck by the Daixin Team ransomware group in an attack affecting approximately 2.9 million patients. The attackers demanded $7 million; Acadian offered $173,000; the offer was rejected and the data was published online. The pattern — attack, negotiate, publish — has become the standard operating procedure for ransomware groups targeting healthcare and EMS organizations.

What the Breach Notification Process Revealed

The timeline of Bell Ambulance's disclosure process is itself instructive. The company discovered the breach on February 13, 2025. Under the HIPAA Breach Notification RuleRequires HIPAA-covered entities to notify affected individuals and report to HHS within 60 days of discovering a breach. Breaches affecting 500+ people must also be reported to local media and are publicly posted on the HHS breach portal., covered entities are required to notify affected individuals and report to HHS within 60 days of discovering a breach. When the 60-day deadline is reached and an investigation is still ongoing, organizations typically file a breach report using a placeholder figure of 500 or 501 affected individuals — the minimum threshold that triggers public posting on the HHS breach portal — and update the number when the review concludes.

Bell Ambulance's first public disclosure came on April 14, 2025, with an initial estimate of 114,000 affected individuals. Notification letters went out on April 18. But the data review continued for another ten months, concluding on February 20, 2026 — at which point the confirmed total had more than doubled to 237,830. The final notification to the Maine Attorney General followed in March 2026.

This elongated process is not unique to Bell Ambulance. Large healthcare breaches routinely take months or years to fully scope, particularly when attackers have accessed multiple systems containing records from different time periods and operational functions. The challenge is compounded when the stolen data has already been published: affected individuals whose notification letters arrive a year after the fact have been exposed — without their knowledge or the ability to take protective action — for the entire intervening period.

The regulatory environment is evolving in response. Proposed updates to the HIPAA Security Rule, currently under HHS review, would mandate multi-factor authenticationA security control requiring users to verify identity through two or more independent factors — something they know (password), something they have (hardware token or phone), or something they are (biometric). Proposed HIPAA updates would mandate MFA for all systems handling ePHI. for all systems handling electronic protected health information (ePHI), require encryption for all ePHI at rest and in transit, and establish disaster recovery capabilities that can restore systems and data within 72 hours of an incident. These requirements would represent a fundamental shift from the current framework, which establishes flexible "addressable" standards that organizations can interpret broadly. For EMS providers like Bell Ambulance, meeting those standards would require substantial investment in security infrastructure that many have not historically prioritized.

IBM's 2024 Cost of a Data Breach Report found that healthcare breaches involving phishing attacks carry an average cost of $9.77 million per incident — among the highest of any sector studied. (IBM, 2024)

What EMS Organizations Should Actually Do

Generic security advice — patch your systems, enable MFA, train your staff — is not wrong. It is just insufficient for an organization that handles 140,000 patient encounters a year and runs 24/7 dispatch operations on systems that have to stay up. The following recommendations go beyond the standard checklist and are specific to the structural vulnerabilities this breach revealed.

Compress dwell time with EMS-tuned behavioral detection, not just perimeter tooling

The most consequential failure in the Bell Ambulance incident was not that attackers got in. It was that they moved freely for seven days before anyone noticed. Perimeter tools — firewalls, email filters, endpoint detection — are designed to block entry, not to flag an attacker who is already inside and using legitimate credentials and tools. The solution requires layering detection capabilities that watch for what happens after entry.

For EMS organizations specifically, that means configuring a SIEM with behavioral baselines that reflect EMS operational patterns — not generic enterprise templates. Dispatch systems are accessed continuously 24/7; patient care report (PCR) platforms are accessed during or immediately after runs; billing systems operate during business hours from a known account population. An attacker who extracts credentials and accesses the billing server at 2am from a source IP that normally handles dispatch is generating a detectable anomaly. The baseline already exists in the data — the question is whether anything is configured to surface it.

Pairing SIEM with Network Detection and Response (NDR)A security tool category that monitors internal network traffic for anomalous behavior — lateral movement, unusual data transfers, credential abuse — that endpoint tools miss because the attacker is already inside using legitimate tools. closes a critical gap: NDR monitors east-west (internal) traffic that endpoint detection agents never see. Specific detection rules to prioritize include: PowerShell and WMI execution from accounts that do not typically run scripts; RDP sessions between systems that do not normally communicate; bulk file access events on data stores outside normal operating windows; and large staging transfers to directories that are not standard backup destinations. Any one of these patterns, fired during the Bell Ambulance dwell period, could have triggered investigation before 219.5 GB left the network.

Harden Active Directory as if it is already compromised — because it likely will be

Medusa's documented playbook depends on Mimikatz-style credential harvestingThe extraction of stored usernames and password hashes (or plaintext credentials) from system memory, the Windows registry, or authentication databases. Mimikatz is the most widely used tool for this technique and is a documented part of Medusa's kill chain. to enable lateral movement. In EMS organizations, Active Directory is the backbone of all internal access — and it is rarely hardened beyond the default configuration. The default configuration was not designed with a sophisticated ransomware affiliate in mind.

Specific hardening measures that directly disrupt Medusa's kill chain: implement a tiered administration model that isolates privileged credentials to dedicated admin workstations, so a compromised field-access account cannot be used to reach domain controllers; enable Protected Users security groups in AD, which strips NTLM fallback and caches cleartext credentials in memory — both of which Mimikatz relies on; deploy Windows Credential Guard to move credential storage into a hardware-isolated environment that LSASS process dumping cannot reach; disable NTLM authentication on all systems where Kerberos can be enforced, eliminating pass-the-hash as a lateral movement option; and run regular AD tiering audits to identify service accounts that have accumulated excessive privilege over time without any specific operational need. These controls do not make credential harvesting impossible — but they make the credentials that are harvested either lower-value or protected at a hardware level that software-based tools cannot bypass, collapsing the lateral movement window that gives Medusa its reach.

Implement true network segmentation between operational and administrative environments

In many EMS organizations, the computer-aided dispatch system, the patient care reporting platform, and the billing and insurance processing environment share the same flat network or trust domain. An attacker who compromises a billing workstation — the most common initial access vector through phishing — can in this configuration pivot directly into dispatch and clinical systems without crossing any enforced boundary.

Addressing this requires more than VLAN configuration. VLANs separate broadcast domains; they do not enforce application-layer access controls or prevent a compromised account with credentials to both segments from moving between them. True micro-segmentationA network security technique that divides the network into isolated zones with strict, policy-enforced access controls between them — so that compromising one zone does not grant access to others. Harder to implement than VLANs but far more effective against lateral movement. requires enforced access policies between segments, monitored east-west traffic with alerting on unexpected cross-segment sessions, and identity-based access controls that restrict what a given account can reach regardless of which physical or virtual network it originates from. For organizations where full micro-segmentation is too resource-intensive to implement simultaneously across all systems, the highest-priority first step is establishing a hard boundary between billing and administrative systems and the operational dispatch network — closing the most common lateral movement path before addressing secondary segments. CAD systems, in particular, should be treated as operationally critical infrastructure with the same network isolation posture as a SCADA environment: no inbound connections from administrative networks unless explicitly whitelisted and monitored in real time.

Build a ransomware-resistant backup architecture with a tested operational recovery sequence

A backup strategy that is not explicitly designed to survive a ransomware attack will not survive one. Medusa specifically targets and destroys backup infrastructure before deploying the ransomware payload — because an intact backup eliminates the payment pressure. The architecture that resists this has three components that must all be in place simultaneously.

First, immutable backupsBackups stored in write-once environments — object storage with object lock enabled, air-gapped tape, or cloud tiers with separate credentials the production environment cannot access. Medusa cannot encrypt what it cannot reach or modify. stored in a location the production environment cannot modify: object storage with object lock enabled, air-gapped tape rotated off-network, or a cloud tier provisioned under entirely separate credentials that no production account has access to. If the same service account that runs production systems can also delete the backup, the backup is not ransomware-resistant. Second, a recovery runbook that specifies not just how to restore data but in what sequence systems must come back online to maintain dispatch continuity — because restoring servers in the wrong order in an EMS environment can leave dispatch non-functional even after data is technically restored. Third, and this is the one requirement that most organizations skip: recovery time objectives that have been validated under simulated ransomware conditions. Confirming that backups exist is not the same as confirming that the organization can restore dispatch operations within an operationally acceptable window from those backups when the primary environment is completely unavailable. A tabletop exercise is the minimum; a partial failover test under controlled conditions is stronger.

Replace the standard post-breach response package with one calibrated to the actual fraud surface

Bell Ambulance offered 24 months of credit monitoring through IDX. Credit monitoring is a reactive notification tool — it generates an alert after a fraudulent account has already been opened. For the 237,830 people whose Social Security numbers, dates of birth, driver's license numbers, insurance data, and medical records are now permanently in circulation on criminal markets, the standard response package does not match the actual risk surface.

A response that meaningfully reduces the actionable window for the stolen data should include several components that credit monitoring does not cover. Facilitating IRS Identity Protection PINs for affected individuals blocks fraudulent federal tax filings using a stolen SSN — a fraud type that does not trigger a credit monitoring alert at all and can take years to resolve. Providing explicit, step-by-step guidance on placing security freezes not just at the three primary credit bureaus but also at ChexSystems (which governs new bank account opening) and the National Consumer Telecom and Utilities Exchange (NCTUE) closes fraud vectors that credit-only freezes leave open. Proactively notifying health insurers of the affected population — so insurers can flag those accounts for elevated scrutiny of claims — addresses medical identity theft, which is the fraud type that causes the most long-term harm for individuals in this dataset: fraudulent claims filed under a victim's policy exhaust coverage limits and create false medical history entries that can affect future care. Finally, staffing a response line with personnel who can walk affected individuals through the mechanics of medical fraud detection — rather than directing them to a generic identity protection portal — meaningfully increases the likelihood that affected individuals take protective action before fraud occurs rather than after.

Use the proposed HIPAA Security Rule updates as an active gap assessment benchmark, not a future compliance event

The proposed HIPAA Security Rule changes currently under HHS review would mandate multi-factor authentication for all ePHI-handling systems, encryption for ePHI at rest and in transit, and the operational capability to restore systems and data within 72 hours of a ransomware incident. These represent a fundamental shift from the current framework's flexible "addressable" standards — which EMS organizations have historically interpreted broadly — to specific, auditable requirements.

The practical implication for organizations that have not yet met these thresholds is that waiting for the rule to finalize creates simultaneous legal and operational risk: the organization remains exposed during the gap period and then faces a compressed implementation timeline once enforcement begins. Running a gap assessment against the proposed requirements now — mapping current MFA coverage, encryption posture for ePHI at rest and in transit, and validated recovery time capabilities against each proposed requirement — produces a prioritized remediation roadmap that improves security posture immediately while positioning the organization ahead of the compliance deadline rather than scrambling to meet it. For an EMS provider already operating under the cost and resource constraints that make security investment difficult, this framing matters: the controls that close the compliance gap are the same controls that would have changed the outcome at Bell Ambulance.

Key Takeaways

1. EMS providers hold hospital-grade data with clinic-grade security: The Bell Ambulance breach exposed records containing the full identity and health profile of nearly a quarter million people. Emergency medical services organizations must treat their data environments with the same rigor as hospitals — not as administrative back-office operations.
2. Medusa's publish-or-pay model makes non-payment a partial solution at best: Bell Ambulance's apparent decision not to pay the $400,000 ransom may be the correct operational and ethical choice, as the FBI and CISA strongly advise against paying ransoms. But when Medusa publishes the stolen data regardless, affected individuals face ongoing exposure with no good remediation path beyond credit monitoring and vigilance.
3. A seven-day dwell time is a preventable detection failure: The attackers had undetected access from February 7 to February 13. Network detection and response (NDR) tools, behavioral anomaly detection, and 24/7 security monitoring are not optional for organizations handling this volume and sensitivity of data. Endpoint detection alone is insufficient.
4. Scope estimate revisions are a known pattern — plan for them: The initial figure of 114,000 doubled to 237,830 over the course of the investigation. Organizations should communicate clearly with affected individuals that initial numbers are conservative and that the final count may change, rather than issuing a second, larger notification a year later that appears to minimize the original disclosure.
5. Regulatory changes are coming, and they are not optional: Proposed HIPAA Security Rule updates would mandate MFA, encryption, and rapid recovery capabilities across all covered entities. EMS providers that begin closing those gaps now — rather than waiting for enforcement — will be better positioned operationally and legally when the next attack comes.

The Bell Ambulance breach did not require a sophisticated nation-state actor or a zero-day vulnerability. It required a seven-day window of undetected access inside a network holding nearly a quarter million people's most sensitive records, and a ransomware group that knew exactly how to monetize what it found. The lesson is not that emergency services organizations are uniquely vulnerable. It is that they are not uniquely protected — and in a threat environment where Medusa alone has claimed more than 500 victims, that distinction carries serious consequences.

---

Sources

• SecurityWeek — 238,000 Impacted by Bell Ambulance Data Breach
• Security Affairs — Bell Ambulance data breach impacted over 238,000 people
• The Record (Recorded Future News) — 235,000 affected by cyberattack on largest ambulance provider in Wisconsin
• HIPAA Journal — February 2025 Cyberattack Affected More Than 230K Bell Ambulance Patients
• Bell Ambulance, Inc. — Official Data Security Incident Notice
• CISA — #StopRansomware: Medusa Ransomware (Joint Advisory AA25-071A, March 12, 2025)
• American Hospital Association — Advisory Warns of Medusa Ransomware Activity
• Darktrace — Under Medusa's Gaze: RMM Abuse in Ransomware Campaigns (January 2026)
• HIPAA Journal — Healthcare Data Breach Statistics
• Bright Defense — Healthcare Data Breach Statistics for 2025/2026