Cyber Incident Victim: Bell Ambulance, Inc.

Bell Ambulance, Inc., a Milwaukee, Wisconsin-based healthcare organization providing ambulance services, experienced a significant data security incident in February 2025. According to information provided to the Maine Attorney General’s Office, unauthorized hackers gained access to the company’s network over a period spanning from February 7, 2025, through February 14, 2025. The organization itself detected this network intrusion on February 13, 2025, initiating its internal response protocols. The incident was later attributed to the Medusa ransomware gang, which publicly claimed responsibility for the attack in March 2025. In its initial public disclosures around the time of detection, Bell Ambulance reported that approximately 114,000 individuals had been impacted by the breach. The company subsequently conducted a full investigation to determine the complete scope of compromised information, finalizing this assessment on February 20, 2026, as documented in its notification letter. Following the conclusion of this investigation, Bell Ambulance formally disclosed the full extent of the incident and began the process of notifying affected individuals, ultimately submitting details to the Maine Attorney General’s Office indicating a significantly larger victim population.

The finalized investigation revealed that the personal and sensitive information of 237,830 individuals was accessed and potentially exfiltrated during the attacker’s window of access. The compromised data elements included a broad array of personally identifiable information and protected health data, specifically encompassing individuals’ full names, Social Security numbers, dates of birth, and driver’s license numbers. Furthermore, the breach exposed financial account information as well as detailed medical and health insurance information, creating a substantial risk for identity theft and fraud. In response to the confirmed breach, Bell Ambulance implemented immediate containment and remediation measures, which included securing its network environment, resetting all relevant passwords, and securing all potentially affected user accounts. The organization also engaged in a comprehensive forensic investigation to understand the full mechanics and impact of the incident. To support the affected population, Bell Ambulance is offering 12 months of complimentary credit monitoring and identity protection services. The company explicitly stated that the Medusa ransomware group subsequently published the allegedly stolen data online, a action that strongly suggests Bell Ambulance did not accede to the ransom demand. The organization continues to encourage all impacted individuals to remain vigilant for signs of potential fraud and identity theft.