The Ambulance Service in New York, Empress EMS (Emergency Medical Services), has reported a ransomware attack. Empress EMS detected the attack on July 14, 2022, and the files contained in selected systems were encrypted. Based on the notification posted on the company’s website, EMS took immediate steps to control the incident and engaged third-party forensics specialists to look into the attack.
According to the result of the forensic investigation, on May 26, 2022, the attackers initially acquired access to its system and on July 13, 2022, duplicated a small part of the files. Then, they deployed ransomware to encrypt the files on its system. A thorough analysis of the impacted files affirmed the inclusion of protected health information (PHI) like names, insurance details, dates of service, and Social Security numbers of a number of individuals.
Empress EMS already sent the data breach report to the HHS’ Office for Civil Rights indicating that up to 318,558 patients were affected. Empress EMS has informed all impacted persons and has instructed them to keep an eye on their healthcare reports for the correctness and told them that credit monitoring services will be provided to selected persons. Empress EMS mentioned that it took steps to reinforce system security to avoid the same occurrences down the road.
Empress EMS didn’t mention which group was responsible for the attack; nevertheless, the Hive ransomware group has professed its responsibility for the cyber attack. Databreaches.net acquired the copy of the ransom note and a part of the stolen information and stated that the files seem to include the PHI of the patients of Empress EMS. The Hive gang admits to having acquired the Social Security numbers of over 100,000 individuals, and customer data like home and email addresses, telephone numbers, passport numbers, payments, and working time. Employee information was likewise affected, together with NDAs, contracts, and other private company details.
During publication, the Hive group did not list the stolen information on the data leak website, however, some information was temporarily uploaded. Usually, when the victim does not pay the ransom, the group carries on its threat and posts the stolen information.