New York ambulance service discloses data breach after ransomware attack

Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information.

According to the notification, the company suffered a ransomware attack on July 14, 2022.

An investigation into the incident revealed that the intruder had gained access to Empress EMS’ systems on May 26, 2022. About a month and a half later, on July 13, the hackers exfiltrated “a small subset of files,” a day before deploying the encryption.

“Some of these files contained patient names, dates of service, insurance information, and in some instances, Social Security numbers,” reads the disclosure from Empress EMS.

“Empress EMS is mailing letters to affected individuals and offering eligible individuals credit monitoring services,” the company announced.

The details of the attack describe a standard double-extortion ransomware incident where cybercriminals steal files, encrypt systems, and then threaten the victim to publish the data unless a ransom is paid.

Although the company does not mention the group responsible for the attack. However, BleepingComputer found that the Hive ransomware gang had prepared on July 26 a non-public entry for the Empress EMS data leak.

The ransomware gang has removed the associated entry from their website, but we were able to verify that Hive published the data after checking historical dark web data from cyber-intelligence firm KELA.

Empress informed the U.S. Department of Health and Human Services that the number of individuals affected by this incident is 318,55. However, there are concerns that more people might be impacted.

The notice explains that even those who haven’t received a letter but can confirm they used Empress EMS’ services via healthcare statements, should contact the firm by October 9, 2022, to benefit from credit monitoring services.

Empress EMS states it has strengthened the security of its systems and protocols to prevent similar incidents from happening in the future.

Today, Cole & Van Note, an American consumer rights law office, has announced an investigation into the incident to explore litigation and reimbursement potential on behalf of the impacted individuals.

Update 9/18: DataBreaches.net has published more evidence pointing to Hive, in the form of correspondence between the threat actor and the victim.

Additionally, the publication was able to retrieve a sample of the stolen data and confirmed that many entries appear to belong to Empress EMS customers.

Related Articles:

MediSecure e-script firm hit by ‘large-scale’ ransomware data breach

Singing River Health System: Data of 895,000 stolen in ransomware attack

Infosys McCamish says LockBit stole data of 6 million people

Former IT employee accessed data of over 1 million US patients

Change Healthcare lists the medical data stolen in ransomware attack