Texas County EMS Agency Says Ransomware Breach Hit 612,000Emergency Medical, Ambulance Providers Face Extra Security Threats, Experts Say
A municipal ambulance services provider that serves 15 cities in a Texas county has reported to federal regulators a ransomware breach potentially affecting 612,000 individuals, which is equivalent to nearly 30% of the county's 2.1 million population.
Metropolitan Area EMS Authority, a Texas government administrative agency that does business as MedStar Mobile Healthcare, reported the hacking incident to the U.S. Department of Health and Human Services' Office for Civil Rights on Dec. 19. MedStar, which provides ambulance services in Tarrant County, Texas, reported that on Oct. 20, it experienced "issues" with its network systems.
Colman McCarthy, an attorney at law firm Shook, Hardy & Bacon, which represents MedStar, tells Information Security Media Group the breach involved ransomware. MedStar did not pay a ransom but was able to fully restore its systems.
"Access to a portion of MedStar’s network was affected. All servers were back online within 48 hours," McCarthy says. "Throughout the incident, MedStar continued to provide emergency medical services to the communities it serves."
MedStar is still determining the full scope of the incident and intends to offer credit monitoring "as required by law and in line with industry practice."
In its breach notification statement, MedStar says an unauthorized third party gained access to a restricted location in MedStar’s computer network that contained a number of files, including some containing personal health information.
"We have not been able to confirm that those files were actually accessed by the third party, and therefore cannot say that any personal information in those files was accessed," the statement says.
The affected files contained information for individuals who received treatment and care from MedStar. For the "large majority" of affected individuals, only nonfinancial billing information was involved, MedStar says.
But for a portion of others affected, the potentially compromised information includes full name, birthdate, contact information, information related to medical care provided, and other identifiers, MedStar says.
MedStar says that the security measures it has in place enable it to take "prompt action" against attempted intrusions into its network. "Those measures were implemented here and reduced the scope of the third party’s activity," MedStar says. In the aftermath of the incident, MedStar will take further steps to secure its systems and data, it adds.
Other Ambulance Hacks
MedStar's ransomware breach is one of a number of hacking incidents - including other ransomware attacks - reported by other ambulance services and their vendors in recent months.
Those include an apparent ransomware attack and breach reported to HHS OCR on Sept. 9 by Empress Ambulance Services LLC, a New York-based ambulance company as affecting nearly 319,000 individuals.
Massachusetts-based Comstar LLC, which provides billing, collection and other services to municipal and nonprofit ambulance companies, in May reported a hacking breach affecting nearly 69,000 individuals (see: Hacks Spotlight PHI Risks for Ambulance Cos., Vendors).
"Ransomware actors target ambulance companies for the exact same reason they target any other type of company: They have money," says Brett Callow, threat analyst at security firm Emsisoft.
"The actors may also consider ambulance companies to be a good target because they provide critical services and need to be back online quickly, which may mean they will be more likely to pay than other companies."
Not enough progress is being made in tackling the threat of ransomware, especially its impacts on the healthcare sector, Callow says. "We know that even slight delays in obtaining medical care can significantly affect outcomes - heart attack and stroke patients are two obvious examples - so these incidents represent a very serious risk to life."
Emergency management services agencies such as MedStar also face unique security, privacy and compliance challenges due to the circumstances in which they provide healthcare, says regulatory attorney Paul Hales of the Hales Law Group.
"They are healthcare 'special forces,' working in the field in emergencies - not in carefully designed, well-equipped hospitals," he says.
"Accordingly, EMS HIPAA compliance programs including risk analysis, risk management and workforce training demand special attention," he says.
Unfortunately, entities faced with emergency patient care requirements can be tempted to put those data security and privacy activities on the back burner, Hales says.