Acadian Ambulance Cyberattack Notifies Almost 2.9 Million Affected Individuals

Acadian Ambulance Service based in Louisiana is sending notifications to individuals impacted by a cyberattack and data breach. According to the Daixin Team, they had stolen 10 million unique records from the private ambulance service. The threat group posted a listing on their dark web leak site, threatening to release the data if a ransom was not paid. However, the actual breach report by Acadian Ambulance to the HHS’ Office for Civil Rights on August 20, 2024 only involved the protected health information (PHI) of 2,896,985 persons, a figure far lower than Daixin Team’s claim.

In its breach notification, Acadian Ambulance confirmed the discovery of suspicious activity on its systems on June 21, 2024. The company immediately isolated its network to stop further unauthorized access and engaged third-party professionals to investigate the incident. As per the investigation, a threat actor accessed the network from June 19 to June 21, 2024 and stole files. It took over two months to investigate the breach, analyze the compromised files, and compile updated contact data to send out notification letters.

The stolen information varied for each individual but potentially included names along with the following data: addresses, birth dates, and medical data collected during the patient intake process, and Social Security numbers. Although there has been no evidence of actual or attempted data misuse so far, Acadian Ambulance is offering affected individuals free credit monitoring and identity theft protection services. The company is also revising its policies and procedures to mitigate the risk of future incidents.

While Daixin Team initially demanded a $7 million ransom, Acadian Ambulance reportedly negotiated with the group but only offered to pay $173,000. The hackers claim the company can afford to pay more, as they had accessed the company’s financial information during the attack. The company remains listed on Daixin Team’s data leak site, with no confirmation of a finalized payment.

Daixin Team has been active since at least June 2022, targeting the healthcare sector with multiple high-profile attacks, including breaches at Oakbend Medical Center and Columbus Regional Healthcare System. If the group’s claims about the Acadian Ambulance breach hold true, this would be Daixin Team’s biggest healthcare data breach. The group was previously highlighted in a joint cybersecurity alert issued in October 2022 by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

Acadian Ambulance is an employee-owned private ambulance service operating across the majority of Louisiana, Texas, one
county in Mississippi, and two counties in Tennessee. In 1995, it was acknowledged as the nation’s biggest private ambulance provider, serving approximately 24 million people. Upon discovering the cyberattack, the company swiftly implemented measures to secure its systems, stopping any further unauthorized access. Backup and redundancy systems were also initialized to ensure there was no disruption to patient care during the incident.

About Christine Garcia 1191 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA