Almost 2.9 Million Individuals Affected by Acadian Ambulance Cyberattack
Acadian Ambulance Service has started notifying the individuals affected by its recent cyberattack and data breach. Daixin Team claimed responsibility for the attack and suggested 10 million unique records were stolen from the Louisiana-based private ambulance service. While the breach involved a significant number of records, it was not as severe as Daixin Team claimed. On August 20, 2024, Acadian Ambulance reported the breach to the HHS’ Office for Civil Rights as involving the protected health information of 2,896,985 individuals.
Acadian Ambulance confirmed in its breach notification letters that suspicious activity was identified within its computer systems on June 21, 2024. Action was taken to isolate its systems to prevent further unauthorized access, and third-party computer specialists were engaged to investigate the security breach. They determined that a threat actor had access to its network between June 19, 2024, and June 21, 2024. During that time, files were exfiltrated from its systems. It has taken more than two months to investigate the incident, review the files involved, and identify accurate contact information to allow notification letters to be mailed.
Acadian Ambulance said the information compromised in the incident varied from individual to individual and may have included names in combination with addresses, dates of birth, Social Security numbers, and medical information collected during the intake process. Acadian Ambulance has not identified any attempted or actual misuse of the stolen data; however, to protect against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Policies, procedures, and processes are also being reviewed and will be updated to reduce the risk of similar incidents in the future.
July 25, 2024: Daixin Team Claims to Have Stolen 10 Million Unique Records from Acadian Ambulance
Acadian Ambulance has confirmed that it was the victim of a cyberattack in June 2024 that disrupted the operability of certain computer systems. Daixin Team has claimed responsibility for the ransomware attack and is threatening to publicly release the stolen data if the ransom is not paid. The threat group claims to have exfiltrated a large amount of data from Acadian Ambulance’s systems, including the protected health information of around 10 million users of the ambulance service and employee data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Acadian Ambulance is an employee-owner private ambulance service that covers most of Louisiana, a large portion of Texas, two Tennessee counties, and one county in Mississippi, and was recognized in 1995 as the largest private ambulance service in the country, serving a population of around 24 million individuals. When the attack was detected, immediate action was taken to lock down its systems to prevent further unauthorized access, and backup and redundancy systems were activated to prevent disruption to patient care.
The subsequent forensic investigation confirmed that there had been unauthorized access to a server containing patients’ protected health information and employee data. The files on the server are being reviewed to identify the individuals affected and the types of data involved. Acadian Ambulance said those individuals and appropriate federal and state agencies will be notified about the incident when that process has been completed.
The listing on Daixin Team’s data leak site claims the stolen data includes 11 million lines of data, including patient names, dates of birth, phone numbers, medical histories, case histories, employment information, symptoms, suspected drug use, as well as employee information. While there is some duplication of information in those lines of data, Daixin Team confirmed in communications with Dissent of databreaches that there are around 10 million lines of unique data in the stolen dataset.
The group claims to have demanded a $7 million ransom and while Acadian Ambulance has negotiated with the group, it only offered a maximum payment of $173,000 and while attempts were being made to raise more funds, the amount being offered is only a fraction of the amount demanded by Daixin. Daixin has threatened to release the full data shortly if its demands are not met and alleges the company can afford to pay more since it obtained information about the company’s financial position in the attack. A payment does not appear to have been negotiated with the group at the time of writing as Acadian Ambulance is still listed on the group’s data leak site.
Daixin Team has been in operation since at least June 2022 and has conducted several attacks on the healthcare and public health sector, including Columbus Regional Healthcare System and Oakbend Medical Center. If the group’s claims are valid, this will be the largest healthcare data breach linked to the group. Daixin Team was the subject of a joint cybersecurity alert from the alert by Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) in October 2022.
Also see: Acadian Ambulance Facing Multiple Class Action Lawsuits Over Data Breach
