Acadian Ambulance reported a cyberattack in June 2024 that upset the functionality of selected computer systems. Daixin Team said it was behind the ransomware attack and threatened to release the stolen information to the public when no ransom is paid. The ransomware group states that it has extracted information from Acadian Ambulance’s systems, including the protected health information (PHI) of about 10 million recipients of ambulance service and employee information. Acadian Ambulance has not confirmed the scope of any data theft.
Acadian Ambulance is a private ambulance service available in Louisiana, a big part of Texas, two Tennessee counties, and one Mississippi county. It was known in 1995 as the country’s biggest private ambulance service, providing its services to about 24 million people. When the cyberattack was discovered, quick action was undertaken to secure its systems to stop the threat actor’s unauthorized access. Backup and redundancy systems were turned on to avoid patient care disruption.
The following forensic investigation showed that there was unauthorized access to a server that contained patients’ PHI and employee information. The files stored on the server are under review to determine the people impacted and the types of information affected. Acadian Ambulance stated that those people and appropriate government and state agencies will receive updates about the incident when that review is finished.
Daixin Team listed Acadian Ambulance on its data leak site claiming that 11 million lines of data were stolen, which include patient names, birth dates, telephone numbers, medical backgrounds, case histories, work data, symptoms, suspected drug use, and employee details. Although there is a repetition of data in those lines of information, the Daixin Team stated that the stolen dataset included about 10 million lines of unique information. Acadian Ambulance should have implemented HIPAA encryption to protect the sensitive information it retains.
The threat group issued a $7 million ransom demand to the victim. Acadian Ambulance bargained with the group, but it just offered to pay up to $173,000. During the negotiation, Daixin wanted to get more money, but the amount offered is just a small percentage of the sum required by Daixin. Daixin threatened Acadian Ambulance that the complete data would be leaked if its demands were not satisfied. The threat group alleges that the company is able to pay more since it saw the company’s financial status in the acquired data during the attack. A payment doesn’t seem to have been made to the group as of this writing since the company is still posted on the group’s data leak website.
Daixin Team began its operations in June 2022 and has performed several attacks on the healthcare and public health sector, such as Oakbend Medical Center and Columbus Regional Healthcare System. If the group’s claims are true, this will be the biggest healthcare data breach associated with the group. Daixin Team was the focus of a joint cybersecurity advisory by the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) in October 2022.
Photo credits: Acadian Ambulance / Gorodenkoff, AdobeStock.com