Bell Ambulance (Wisconsin) Data Breach Exposes Personal Data of 235,000 After Medusa Ransomware Cyberattack

By Ash K
Bell Ambulance (Wisconsin) Data Breach Exposes Personal Data of 235,000 After Medusa Ransomware Cyberattack

A major cybersecurity incident affecting Bell Ambulance, the largest private ambulance service provider in Wisconsin, has exposed sensitive personal information belonging to more than 235,000 individuals following a ransomware attack linked to the Medusa cybercriminal group. The breach highlights growing risks facing healthcare infrastructure and emergency service providers as ransomware gangs increasingly target organizations that rely on continuous operations and store highly sensitive personal data.

The attack, which occurred in early 2025 but was disclosed publicly later after investigation and regulatory notification requirements, resulted in the compromise of large volumes of personal and medical-related information. Bell Ambulance confirmed that the breach affected 237,830 individuals, making it one of the largest healthcare-related cybersecurity incidents reported in the state.

Sensitive personal and medical data exposed

According to the company’s breach notification, attackers gained unauthorized access to systems containing highly sensitive personal information. The compromised records include Social Security numbers, driver's license numbers, financial account information, medical details, and health insurance data belonging to patients and individuals who had interacted with Bell Ambulance services.

Healthcare data is particularly valuable to cybercriminals because it often contains a combination of personal identifiers, insurance records, and billing information. Unlike credit card numbers, which can be quickly cancelled or replaced, medical records and Social Security numbers are difficult to change, making them attractive for long-term fraud schemes.

Identity theft, fraudulent insurance claims, and targeted phishing campaigns are among the potential risks faced by victims whose information was exposed in the incident. Cybersecurity experts frequently warn that healthcare breaches can create cascading effects because attackers may combine stolen healthcare data with other breached datasets to build more complete digital profiles of victims.

Medusa ransomware gang claims responsibility

The Medusa ransomware group claimed responsibility for the cyberattack and stated that it had stolen approximately 219 gigabytes of data from Bell Ambulance systems. The attackers demanded a ransom payment of $400,000 in exchange for deleting the stolen data and refraining from publishing it on their leak site.

Ransomware groups have increasingly adopted double extortion tactics, where attackers not only encrypt systems but also steal sensitive information before launching the ransom demand. This strategy increases pressure on victim organizations, as even companies that can restore systems from backups may still face the threat of public data exposure.

Medusa has emerged as a notable ransomware operation in recent years and has been associated with attacks targeting healthcare providers, government agencies, educational institutions, and critical infrastructure operators. The group typically operates through a network of affiliates who gain access to corporate networks using stolen credentials, phishing campaigns, or vulnerabilities in internet-facing systems.

Investigation timeline and discovery of the breach

Bell Ambulance reported that it first discovered suspicious activity within its network on February 13, 2025. Following the detection of the incident, the organization launched an internal investigation with the assistance of cybersecurity experts to determine the scope and impact of the attack.

The investigation revealed that unauthorized actors had accessed certain internal systems and potentially extracted data. After identifying the affected records and verifying the scale of the breach, the company began notifying impacted individuals and regulators as required under data breach notification laws.

Notification efforts extended over several months as investigators analyzed additional datasets and confirmed the number of individuals affected. Organizations responding to cyber incidents often face complex forensic processes, especially when attackers move laterally through networks or access multiple databases during an intrusion.

Ransomware groups increasingly target healthcare infrastructure

The Bell Ambulance breach reflects a broader pattern in which ransomware groups target healthcare providers and emergency services organizations. Hospitals, ambulance operators, and healthcare billing systems rely heavily on digital infrastructure and must maintain continuous availability to support patient care. This operational urgency can make them more likely to face pressure during ransom negotiations.

Healthcare organizations also store large quantities of regulated data, including personally identifiable information, medical histories, insurance records, and billing details. Such datasets are highly valuable on underground cybercrime marketplaces where stolen information can be resold or used for identity theft and fraud.

Government agencies have repeatedly warned that attacks against healthcare providers pose risks that extend beyond financial damage. In severe cases, disruptions to medical systems can affect emergency response times, delay treatments, and create broader public safety concerns.

Law enforcement links Medusa to hundreds of attacks

Federal investigators have connected the Medusa ransomware operation to hundreds of cyberattacks targeting organizations worldwide. According to information shared by the FBI and other cybersecurity agencies, the group has been linked to more than 300 incidents involving critical infrastructure sectors.

These attacks frequently involve multi-stage intrusion techniques that combine phishing campaigns, credential theft, and exploitation of vulnerable systems. Once attackers gain a foothold inside a network, they often conduct reconnaissance, escalate privileges, and deploy ransomware payloads while simultaneously exfiltrating sensitive data.

The use of leak sites and public shaming tactics has become a defining characteristic of modern ransomware operations. By threatening to release stolen data publicly, attackers attempt to force organizations into paying ransom demands even if operational systems can be restored through backups.

The Bell Ambulance breach serves as another reminder that cyberattacks against healthcare infrastructure are becoming both more frequent and more sophisticated. As ransomware groups continue to refine their techniques and target organizations that handle sensitive personal data, security experts emphasize the importance of strong network defenses, continuous monitoring, and rapid incident response capabilities.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.