Pasquotank-Camden Emergency Medical Service

Pasquotank-Camden Emergency Medical Service operates as a regional emergency medical provider serving Pasquotank and Camden counties in North Carolina, United States. The organization delivers critical pre-hospital care and transport services, functioning as an integral part of the local public health and safety infrastructure. Its operations involve the direct handling of sensitive patient protected health information (PHI), including personal and medical data, which is processed through its administrative and billing systems. The service's scope is defined by its municipal or county-level mandate, focusing on emergency response within its designated geographic area rather than on a state or national scale. Core activities encompass emergency medical treatment at incident scenes, patient stabilization, and transportation to medical facilities, supported by back-office functions like billing and records management that necessitate the secure handling of a decade's worth of patient data.

A defining event in the organization's recent history occurred on December 14, 2018, when an unauthorized intrusion exploited a previously unknown vulnerability in a third-party billing software application. This security incident allowed an attacker to impersonate a legitimate user and gain access to systems containing extensive PHI. While the attacker deleted files, there was no evidence of data exfiltration or ransom demands. The breach impacted approximately 40,000 individuals, with the notification process significantly delayed due to the complex task of reviewing the vast number of compromised files. The organization's response included swift restoration of operational data without disruption to emergency services, credit monitoring and identity restoration services for affected individuals, and a subsequent evaluation of its technology infrastructure, including consideration of cloud-based or alternative software solutions. The software vendor patched the vulnerability, and the county's handling of the incident highlighted the operational and reputational challenges faced by regional EMS providers in safeguarding patient data against sophisticated supply-chain attacks.