Bell Ambulance data breach affects more than 238,000 individuals

A ransomware attack on a U.S. emergency medical services provider exposed sensitive personal and healthcare information tied to hundreds of thousands of patients.

What happened

Bell Ambulance, a U.S. emergency medical services provider that offers ambulance transport, paramedic care, and patient support, confirmed a data breach that affected 237,830 individuals. According to Security Affairs, the organization detected unauthorized activity on its network on February 13, 2025, and began investigating with assistance from third-party forensic specialists. Investigators later confirmed that an unauthorized individual accessed systems containing sensitive information. The Medusa ransomware group subsequently claimed responsibility for the intrusion and alleged that more than 219 gigabytes of data had been stolen and leaked. Bell Ambulance reported that attackers accessed its network between February 7 and February 14, 2025, and the organization completed its review of affected systems on February 20, 2026, before notifying regulators and impacted individuals.

Going deeper

The exposed data includes names, Social Security numbers, birth dates, driver’s license numbers, financial account information, medical details, and health insurance data. Such information is particularly sensitive in healthcare breaches because it combines identity data with clinical information, increasing the risk of identity theft, insurance fraud, and medical identity misuse. Emergency medical services providers like Bell Ambulance operate across hospital networks, insurance systems, and patient transport services, meaning a compromise of operational systems can expose multiple types of patient records at once. Following the incident, the organization reset system passwords, secured affected accounts, and launched remediation efforts. Impacted individuals were offered twelve months of credit monitoring and identity protection services.

What was said

Bell Ambulance described the timeline and investigation in a notification letter submitted to the Maine Attorney General and shared with affected individuals. The organization wrote, “On February 13, 2025, we became aware of unauthorized activity on our computer network and immediately engaged third-party forensic specialists to determine the full nature and scope of the incident.” The notice continued, “This investigation confirmed an unauthorized individual accessed data within the Bell network. We then began a thorough review of the impacted portions of our network to determine the type of information contained therein and to whom the information related.” The breach notification was issued as part of regulatory reporting to the Maine Attorney General in March 2026.

In the know

According to Cybersecurity and Infrastructure Security Agency (CISA), the Medusa ransomware-as-a-service variant has been used in attacks since 2021. Medusa originally operated as a closed ransomware operation controlled by a single group, but it later adopted an affiliate model while keeping functions such as ransom negotiations under the developers’ control. CISA states that both developers and affiliates, referred to as “Medusa actors,” use a double extortion model in which attackers encrypt victim data and threaten to publicly release stolen data if payment is not made. Initial access is often obtained through brokers recruited in cybercriminal forums, with potential payments ranging from $100 to $1 million for exclusive access opportunities. These affiliates commonly use phishing campaigns to steal credentials and exploit unpatched software vulnerabilities to gain entry to victim networks.

The big picture

Monitoring site Ransomware.live has tracked 518 victims of the Medusa ransomware since the group emerged in 2023, including at least 43 healthcare organizations. Researchers believe some recent healthcare attacks may be linked to North Korean Lazarus Group actors, with affiliates deploying Medusa in exchange for a share of ransom payments. Analysts said, “It's definitely possible that North Korean actors are behind these recent attacks because it conforms with the targeting of healthcare organizations detailed in the 2024 indictment” of Hyok, adding, “Only a post-incident investigation at these organizations would confirm for sure.” The report also said the use of Medusa signals North Korea's “rapacious involvement” in cybercrime and warned, “North Korean actors appear to have few scruples about targeting organizations in the United States. While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazarus doesn't seem to be in any way constrained.”

FAQs

Why are emergency medical service providers targeted by ransomware groups?

Emergency medical service organizations rely on interconnected dispatch, patient, and billing systems that must remain available for critical care operations. Attackers often view these environments as high-pressure targets that may feel compelled to restore systems quickly.

What makes healthcare breach data particularly valuable?

Healthcare records often contain identity information, insurance details, and clinical data in a single file. The combination allows criminals to commit identity theft, insurance fraud, or medical identity fraud.

What is the Medusa ransomware group?

Medusa is a ransomware operation known for stealing data from victims and threatening to leak it publicly if payment demands are not met, a tactic often called double extortion.

Why do investigations take many months to complete?

Forensic investigations must identify what systems were accessed, what information was stored there, and which individuals were affected. Large healthcare environments may contain multiple databases and legacy systems that require detailed analysis.

What steps should affected individuals take after a healthcare breach?

Individuals are typically advised to monitor credit reports, review financial statements, watch for unexpected medical billing activity, and consider placing fraud alerts or credit freezes with credit bureaus.