Update September 10, 2024: Acadian Ambulance Services reported the June 2024 hacking incident to the U.S. Department of Health and Human Services on August 20, stating that it affected 2.89 million individuals and involved a network server. According to Acadian’s breach notice on its website, it is notifying the individuals affected. Acadian is now facing multiple class action lawsuits over the breach.
Acadian Ambulance Services (Acadian) is the latest EMS provider to face cybersecurity threats from hackers seeking to profit from stolen records.
Acadian is under pressure from a ransomware group to pay $7 million to prevent the exposure of over 10 million patients’ medical records. Acadian provides services to 24 million residents in 70 parishes and counties of Louisiana, Mississippi, Tennessee, and Texas; according to the company’s statement, the incident was discovered in late June.
The company’s IT staff observed “unexpected activity” on its network, which disrupted operations. They were able to lock down systems, activate back-ups, and stay operable, but only after the hackers had accessed a server containing patients’ protected health information (PHI). The company explained:
“Acadian is working quickly and diligently to identify and notify impacted individuals and will follow all other regulatory and notification requirements resulting from this incident.”
The company did not mention the ransomware demand in its statement, but the ransomware group Daixin alerted the media site DataBreaches.net, which posted about it on July 23. Daixin said it had demanded a $7 million ransom, but after weeks of negotiations, Acadian claimed it could only pay less than $173,000. As of July 23, no ransom appears to have been paid, according to DataBreaches.net.
EMS is a Target for Hackers
Emergency Medical Service (EMS) providers carry enormous amounts of protected health information (PHI) in a fast-paced environment of fieldwork and vehicles. All the data they carry in the field must be recorded, transferred, and stored on servers. With all the points of transfer and storage, EMS data is vulnerable to attack.
In May, Illinois-based Superior Air-Ground Ambulance Service reported to HHS that a 2023 hacking incident affected more than 858,000 individuals.
DocGo, which provides mobile medical and transportation services in the U.S. and the United Kingdom, reported in May to the U.S. Securities and Exchange Commission that it had “recently” identified a cybersecurity incident involving some of its systems.
As reported by the Information Security Media Group, DocGo’s SEC filing did not give the date the incident was discovered but said the company determined that the threat actor accessed and acquired data, including certain protected health information (PHI), from a limited number of healthcare records within the firm’s U.S.-based ambulance transportation business. The DocGo breach has yet to be reported to HHS or a state regulator.
Security Risk Assessment Uncovers Threats
Use the HIPAA Privacy and Security Rules to guide an annual Risk Analysis and follow up with actions to better protect the patient data in your care. A complete HIPAA Risk Analysis covers the entire operation, including paper records, workforce training, and business associates. However, it also includes a security risk assessment focusing on electronic protected health information (ePHI).
Even if you already follow HIPAA, your risk management plan can help you improve. Do the Risk Analysis every year and manage the risks year-round to avoid the dreaded demand for ransom.
Additional guidance can be found at StopRansomware.gov or by calling The HIPAA E-Tool®.
