Acadian Ambulance Services is investigating a cyber attack that leaked the protected health and personal information of potentially millions of patients.
Based in Lafayette, LA, Acadian is one of the largest private ambulance services companies, serving approximately 24 million people in Louisiana, Mississippi, Tennessee, and Texas.
Acadian said it learned of the ransomware attack in June 2024 after detecting suspicious network activity that disrupted certain computer systems.
Acadian cyber attack did not impact patient care and ambulance services
The ambulance services company responded by strategically shutting down impacted systems and activating backups to minimize the impact on patient care.
Acadian’s swift response prevented the cyber attack from negatively impacting patient care or ambulance dispatching abilities.
“Because of the systems in place, the steps taken prior to this incident, and the immediate actions of our IT, Compliance, and Operational teams, Acadian was able to continue operations with no negative impact on patient care,” the company said.
Acadian said it has hired third-party specialists to investigate the cyber attack. After completing the investigations, the ambulance services provider will contact impacted individuals and notify federal and state regulatory authorities.
Acadian cyber attack leaked protected health information
The private ambulance services company determined that the threat actor accessed its customers’ protected health information (PHI).
“Upon further investigation, it appears that these threat actors were able to gain access to a secure server containing protected health information,” Acadian Ambulance said.
The disclosure follows the listing of Acadian on a dark web data leak site controlled by the Daixin Team ransomware group.
The ransomware group claimed responsibility for the Acadian ransomware attack and demanded $7 million in ransom or publish the stolen health information if the ambulance services company refused to pay. Acadian has offered to pay $173,000, a proposal that the ransomware group has rejected so far.
The group claims it stole 11 million customer and employee data records. The stolen data includes Social Security Numbers, names, dates of birth, medical record numbers and medical and treatment information.
The trove also includes phone numbers, employment information, case histories, and suspected drug use history. Victims whose sensitive personal and health data was leaked on the dark web face a persistent risk of identity theft, extortion, and targeted cyber attacks. Daixin also claims it stole Acadia’s financial information, which could compel the company to increase its ransom offer.
Acadian has yet to confirm the nature of the information stolen, although no evidence suggests that the ransomware group has exaggerated the severity of the data breach. Meanwhile, Acadian has confirmed that 10 million records contain unique personal information.
While some cyber gangs volunteer information regarding the attack vector to ridicule the victim’s poor cybersecurity practices, Daixin has withheld that information likely to maintain access.
“This incident underscores the critical need to protect sensitive health information. Healthcare organizations need to be enabled to adopt continuous monitoring, threat intelligence, and proactive security measures to safeguard against potential threats,” said Emily Phelps, Director of Cyware. “Investing in advanced security technologies and fostering industry-wide collaboration are essential steps in enhancing the resilience of healthcare entities.”
Ambulance services actively targeted by cybercriminals
Ambulance services are perfect targets of cyber attacks and extortion by cybercriminals. Numerous ambulance services have reported similar cyber attacks in the last 24 months.
In May 2024, DocGo Inc., an ambulance service operating in 30 U.S. states and the United Kingdom, reported a cybersecurity incident that it told the SEC had no “material impact on its overall financial condition or on its ongoing results of operations.”
In May 2023, Superior Air-Ground Ambulance Service, an Illinois-based rescue service, suffered a cyber attack that leaked the personal data and PHI of 858,000 people.
In December 2022, Tarrant County, Texas-based ambulance services provider MedStar Mobile Healthcare also reported a ransomware attack that impacted 612,000 individuals.
With limited budgets to barely cover basic cybersecurity, ambulance services also collect extensive sensitive personal and PHI and cannot withstand disruptions, making them highly vulnerable to cyber extortion.
Daixin Team targets healthcare organizations
Active since June 2022, Daixin is a relatively unknown threat actor that primarily targets the Healthcare and Public Health (HPH) Sector and other businesses.
Daixin victims include Bluewater Health, Chatham-Kent Health Alliance, Columbus Regional Healthcare System, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Oakbend Medical Center, Windsor Regional Hospital, TransForm Shared Service Organization, Crockpot, B&G Foods, and Malaysia’s AirAsia.
In October 2022, the FBI, CISA, and Department of Health and Human Services (HHS) issued a joint cybersecurity advisory about Daixin actively targeting U.S. healthcare providers.
Daixin exploits VPN vulnerabilities, compromised VPN credentials, and VPNs without multi-factor authentication. The ransomware group obtains credentials via malicious email attachments and moves laterally via Secure Shell (SSH) and Remote Desktop Protocols. The group was also observed accessing VMware vCenter Servers and resetting passwords.
Unlike other ransomware groups with custom in-house encryptors, Daixin Team’s ransomware is based on the publicly released Babuk Locker source code.