Fallon Ambulance, a now-defunct service operated by Transformative Healthcare, experienced a data breach affecting nearly 1 million individuals.
What happened
Fallon Ambulance Services served the greater Boston area until December 2022. Despite shutting their doors, the organization still fell victim to a cyberattack beginning on February 17th, 2023.
Fallon discovered suspicious activity within its data storage on April 21st. Its parent company, Transformative Healthcare, released a notice to the Maine Office of the Attorney General.
Information that may have been impacted included names, addresses, Social Security numbers, medical information, driver's license numbers, and employment information. In total, it’s estimated that 911,757 individuals were impacted.
The attack is linked to ransomware group ALPHV Blackcat, which claimed responsibility in May 2023, stating they had stolen a terabyte of data including medical reports, paramedic reports, bills, and more. Since then, the HHS has released a cybersecurity advisory against the malicious organization.
What was said
In the statement from Transformative Healthcare, the organization said that when the suspicious activity was found, “Fallon promptly took steps to secure the archive and initiated a comprehensive investigation in the matter with the assistance of third-party specialists.”
The statement went on to say, “While Fallon is no longer operational, it nonetheless takes the protection of information seriously and has taken steps to secure data that may be stored in its archives for compliance with its legal obligations.”
Transformative Healthcare said that while they have no evidence of identity theft or fraud, the company will offer free identity protection services for two years.
Why it matters
It may be surprising that Fallon Ambulance fell victim to a cyberattack after ceasing operations, but many healthcare organizations are required to hold onto data for a certain period. Sometimes it’s for compliance reasons, or to ensure records are available to patients.
While laws regarding holding records are generally state-specific, some require organizations to maintain them for up to 10 years. HIPAA requires organizations to maintain records for six years.
Maintaining records can be an additional burden for companies that close down, especially if the closure is related to monetary losses. Some hospitals may choose to cut back on monitoring their data and networks, but this can have costly ramifications. Even if medical records are dated, when stolen, they can provide attackers with personal health information that can harm past patients' wellbeing.
Read more: Guidelines for HIPAA compliant documentation and record retention
The big picture
Fallon Ambulance’s parent company, Transformative Healthcare, will likely continue monitoring the situation to determine what next steps may be required, or if they may face any additional consequences for the breach.
The situation is a reminder that as long as an organization has patient health data, they must diligently protect it.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
