Spirit Medical Transport, one of the fastest-growing ambulance services in Western Ohio and Eastern Indiana, has been listed on the Qilin ransomware data leak site, signaling a confirmed compromise that potentially exposes protected health information (PHI) and personal data of patients across the region. The listing was posted on May 13, 2026, by Qilin, the most active ransomware operation for three consecutive quarters with 338 claimed victims in Q1 2026 alone.
What Happened
Threat intelligence monitoring of dark web leak sites identified Spirit Medical Transport LLC as a fresh victim on Qilin's extortion portal on May 13, 2026. The Greenville, Ohio-based ambulance provider operates additional locations in Celina, Sidney, and Liberty, Indiana, running a fleet of 12 ambulances, 10 wheelchair vans, 4 mini vans, and 2 utility vehicles in support of emergency and non-emergency medical transportation across the region.
As of publication, Spirit Medical Transport has not released a public statement confirming the incident, disclosing the scope of compromised data, or outlining a notification timeline for affected patients. Qilin has not yet published specifics on the volume or category of records exfiltrated, a posture consistent with the group's pressure tactics during active ransom negotiation windows.
What Was Taken
Qilin has not yet published a data sample or itemized inventory, but ambulance and medical transport providers typically maintain a high-sensitivity records environment that includes:
- Patient names, addresses, and dates of birth
- Social Security numbers
- Health insurance and payer information
- Medical history and conditions requiring specialized transport
- Treatment and transport records
- Emergency contact details
- Billing and payment data
Given Qilin's double-extortion methodology, defenders should assume bulk exfiltration of patient records prior to encryption rather than encryption alone.
Why It Matters
Healthcare and emergency medical services remain a top-priority target for Qilin, which has dominated ransomware leak site activity through Q1 2026 with healthcare accounting for a substantial share of victims. Attacks on ambulance providers carry consequences beyond standard PHI exposure: disruption to dispatch, electronic patient care reporting (ePCR), and billing systems can degrade emergency response capability in the communities served.
For patients across Darke, Mercer, Shelby, and Union counties in Ohio, and Union County in Indiana, the compromise creates elevated risk of medical identity theft, insurance fraud, and targeted social engineering using highly specific health context. Regional healthcare partners that exchange records with Spirit, including hospitals receiving transported patients, should treat this as a potential upstream data exposure event.
The Attack Technique
Spirit Medical Transport has not confirmed an initial access vector, and Qilin has not disclosed tradecraft on the leak post. Qilin's affiliate program, however, has consistently leveraged a well-documented set of intrusion patterns:
- Exploitation of internet-facing edge devices, including VPN appliances and unpatched Fortinet, SonicWall, and Citrix systems
- Phishing with credential harvesting and follow-on session token theft
- Valid account abuse purchased from initial access brokers
- Living-off-the-land lateral movement using RDP, PsExec, and Cobalt Strike
- Exfiltration via Rclone or MEGA prior to deployment of the Qilin (Agenda) encryptor, which supports both Windows and Linux/ESXi targets
Qilin operators have also been observed disabling endpoint protection and clearing event logs ahead of encryption to delay incident response.
What Organizations Should Do
Healthcare providers, EMS operators, and business associates exchanging data with Spirit Medical Transport should take the following steps:
- Hunt for Qilin/Agenda indicators of compromise, including known affiliate tooling such as Rclone, AnyDesk, and Cobalt Strike beacons, across endpoints and ESXi hosts.
- Patch and harden internet-exposed edge infrastructure (VPN, firewall, remote access gateways) and require phishing-resistant MFA on all external authentication surfaces.
- Audit data-sharing relationships with Spirit Medical Transport, including HL7, billing, and ePCR integrations, and review logs for anomalous access during May 2026.
- Validate immutable, offline backups for ePCR, dispatch, and billing platforms and rehearse restoration playbooks that prioritize 911-adjacent services.
- Segment OT/clinical operational systems from corporate networks to contain ransomware blast radius and preserve dispatch capability during an incident.
- Prepare patient notification, breach reporting (HIPAA Breach Notification Rule, state AG offices in Ohio and Indiana), and call-center capacity in anticipation of downstream impacts if data is published.