Bell Ambulance, a US emergency medical services provider offering ambulance transport and paramedic care, confirmed a ransomware attack that exposed the personal and healthcare data of 237,830 individuals. The Medusa ransomware group claimed responsibility and alleged exfiltration of over 219 gigabytes of data. Attackers accessed Bell Ambulance's network between February 7–14, 2025, but the organization did not complete its review of affected files until February 20, 2026, a full year later, before notifying regulators and patients. The breach was disclosed to the Maine Attorney General and confirmed by third-party forensic investigation.

What Happened

Bell Ambulance detected unauthorized activity on its network on February 13, 2025, and engaged third-party forensic specialists to investigate. The investigation confirmed that an unauthorized party had access to systems containing sensitive patient information over a seven-day window: February 7 through February 14, 2025.

The Medusa ransomware group subsequently claimed responsibility, alleging exfiltration of 219+ GB of data. Medusa is a prolific double-extortion ransomware operation that has targeted healthcare organizations, critical infrastructure, and public sector entities across the US, UK, and Europe, often threatening to publish stolen data on its dark web leak site if ransoms are not paid.

The most significant operational detail: Bell Ambulance completed its forensic review of affected files on February 20, 2026: 12 months after the initial incident. Regulatory notifications and patient letters followed that review. This means individuals whose Social Security numbers, medical records, and financial account details were potentially in attacker hands had no official notification for approximately one year.

What Was Taken

Confirmed compromised data categories include:

• Full names
• Social Security numbers
• Dates of birth
• Driver's license numbers
• Financial account information
• Medical details: patient care and clinical information
• Health insurance data: plan details and coverage information

The combination of SSNs, medical records, and financial account data in a single breach represents a complete identity and medical fraud package. Emergency medical services providers are uniquely exposed because they sit at the intersection of hospital networks, insurance billing systems, and patient transport records; a single compromise can yield records spanning multiple care episodes and insurance relationships for each patient.

Medusa's claim of 219 GB exfiltrated suggests bulk export of patient record databases rather than targeted selective theft.

Why It Matters

EMS providers are a critical and underdefended node in the healthcare supply chain. Bell Ambulance operates across hospital networks and insurance systems; meaning its data holdings reflect the breadth of patient interactions across an entire regional healthcare ecosystem, not just a single facility. Compromising an EMS provider is, in effect, a partial breach of every hospital and insurer they serve.

Medusa is an active, high-volume healthcare threat actor. The group has targeted dozens of healthcare organizations and critical infrastructure entities. Its double-extortion model, encrypt and threaten to publish, is specifically designed to pressure organizations that cannot afford operational downtime or public data exposure. Healthcare providers are ideal targets because paying is often framed as patient safety imperative.

The 12-month notification gap is the most damaging element of this incident. Patients whose SSNs and medical records were exposed in February 2025 were not notified until early 2026. During that period, their data was presumably available on Medusa's leak site or dark web markets. Fraudulent tax filings, medical identity theft, and insurance fraud enabled by this data would have had a 12-month head start before victims had any reason to be on guard.

The healthcare sector's HIPAA breach notification requirements demand reporting within 60 days of discovery for breaches affecting 500+ individuals. A one-year gap between detection and patient notification, even if attributed to forensic review timelines, represents a significant compliance exposure and raises questions about whether the organization's incident response framework is fit for purpose.

The Attack Technique

Threat actor: Medusa ransomware group (double-extortion RaaS operation).

Attack window: February 7–14, 2025 (7 days of confirmed unauthorized access).

Detection: February 13, 2025; six days into the intrusion window.

The specific initial access vector has not been publicly disclosed. Medusa operations typically leverage one or more of: exploitation of unpatched internet-facing vulnerabilities (particularly VPN and remote desktop gateway flaws), phishing campaigns targeting credentials, or purchase of initial access from brokers. The seven-day dwell time before detection is consistent with Medusa's operational pattern of staging and exfiltrating data before detonating ransomware.

The 219 GB claimed exfiltration volume suggests the attackers had sufficient access to enumerate and bulk-export patient record databases; not just individual file theft. This implies either database-level access or access to a document management system with broad read permissions.

What Organizations Should Do

1. EMS and healthcare providers must establish a 60-day HIPAA notification clock from breach detection, not forensic completion. The HIPAA Breach Notification Rule requires notification within 60 days of discovery; not 60 days after the forensic review concludes. Organizations should trigger provisional notifications to regulators and potentially affected individuals as soon as a breach is reasonably determined, updating as the scope is clarified. A 12-month delay is not legally defensible for a 500+ individual breach.

2. Segment patient record databases from operational IT networks. EMS providers' patient data systems should not be reachable from the same network segment as employee laptops, dispatch systems, or internet-facing infrastructure. Network segmentation is the primary control that limits a ransomware operator's ability to enumerate and bulk-export patient databases after initial access.

3. Deploy Medusa-specific IOCs and hunting rules immediately. Medusa is an active, high-frequency threat actor against healthcare. CISA and HHS-HC3 have published Medusa TTPs and indicators. EMS providers and regional hospitals should run threat hunts against Medusa's known initial access patterns, persistence mechanisms, and data staging behaviors across their environments.

4. Implement immutable, offline backups for all patient data systems with tested restoration procedures. Ransomware is a recoverable incident if clean backups exist and cannot be encrypted. EMS providers should maintain a 3-2-1 backup posture with at least one offline or air-gapped copy, and test restoration quarterly. The encryption component of a ransomware attack should be a recovery exercise, not a catastrophe.

5. Audit all third-party access to patient record systems. EMS providers connect to hospital EMR systems, insurance billing platforms, and dispatch networks. Each integration point is a potential lateral movement pathway. Audit every third-party system with credentials or API access to patient data, enforce least privilege, and rotate credentials on a defined schedule.

6. Enroll all patients affected by prior healthcare breaches in proactive SSN fraud monitoring; not just 12 months of credit monitoring. The 12-month credit monitoring offering is industry standard and inadequate. SSN and medical identity fraud unfolds over years, not months. Organizations should advocate for and fund IRS Identity Protection PIN enrollment, Social Security fraud alerts, and medical identity protection services that extend beyond credit bureau monitoring.

Sources

• Bell Ambulance data breach affects more than 238,000 individuals; Paubox