Bell Ambulance Data Breach Impacts 238,000 People: Details & Response

🚨 Bell Ambulance Data Breach: What You Need to Know

237,830 individuals had their personal, medical, financial, and health insurance information exposed in a February 2025 cyberattack on Bell Ambulance.
The Medusa ransomware gang claimed responsibility and published 219.50 GB of stolen data after Bell Ambulance allegedly refused to pay the ransom.
Stolen data includes Social Security numbers, driver’s license numbers, financial account details, and protected health information — a combination that creates serious long-term identity theft risk.
Bell Ambulance initially disclosed the breach affecting 114,000 people, but the confirmed victim count nearly doubled as the investigation expanded — find out why further in this article.
If you received a notification letter, there are five immediate steps you should take to protect yourself, outlined in detail below.

Over 238,000 people just had some of their most sensitive personal and medical data exposed — and most of them may not fully understand what that means for their safety yet.

Bell Ambulance is a U.S.-based emergency medical services provider that handles ambulance transport, paramedic care, interfacility transfers, and urgent patient support. The organization serves communities that depend on fast, reliable emergency response. But in February 2025, its internal network became the target of a sophisticated ransomware attack that compromised a massive volume of patient and personnel data. If you or someone you know has used Bell Ambulance’s services, this breach may directly affect you. Resources like IDStrong provide guidance and tools that help data breach victims understand their exposure and take action quickly.

238,000 People Affected by the Bell Ambulance Data Breach

The scale of this breach is significant. Bell Ambulance filed official notification confirming that 237,830 individuals were impacted by the cyberattack. That number places this incident among the more serious healthcare data breaches reported in 2025, and the consequences for victims extend well beyond a simple password reset.

Official Breach Summary

Organization: Bell Ambulance
Breach Detected: February 13, 2025
Total Individuals Affected: 237,830
Data Published by Attackers: Yes — 219.50 GB released publicly
Responsible Group: Medusa Ransomware Gang
Initial Disclosure Date: April 14, 2025
Types of Data Exposed: Personal, financial, medical, and health insurance information

When the Breach Was Detected

Bell Ambulance detected unauthorized activity within its network on February 13, 2025. Upon discovering the intrusion, the organization immediately engaged third-party cybersecurity and forensic specialists to investigate the scope of the attack. That investigation confirmed that protected health information and other sensitive data had been accessed and exfiltrated by the attackers.

How Many People Were Actually Impacted

The number of confirmed victims grew significantly as the investigation progressed. Bell Ambulance first publicly disclosed the breach on April 14, 2025 — approximately two months after detection — with an initial figure of around 114,000 affected individuals. However, as forensic review continued, that number climbed to 237,830 people, nearly doubling the original estimate. For more insights on how breaches occur, explore the security flaws and exploits that can lead to such incidents.

This kind of victim count expansion is not unusual in large-scale ransomware incidents. Initial investigations often capture only the most immediately identifiable affected records, while deeper forensic analysis uncovers additional compromised files across different systems and data stores. The final number reflects a thorough — though delayed — accounting of all exposed individuals.

Initial victim count reported on April 14, 2025: ~114,000
Final confirmed victim count: 237,830
Data volume stolen and published: 219.50 GB
Time between breach detection and first public disclosure: ~2 months

The Medusa Ransomware Gang’s Involvement

The Medusa ransomware group publicly claimed responsibility for the Bell Ambulance attack in March 2025, stating they had stolen 219.50 GB of data from the organization’s systems. When Bell Ambulance did not pay the demanded ransom, Medusa followed through on their threat and published the stolen data — meaning sensitive information belonging to nearly 238,000 people is now potentially accessible to anyone with the intent to misuse it. This is a critical detail that elevates the risk level for every affected individual.

What Data Was Stolen in the Bell Ambulance Breach

Not all data breaches carry the same level of risk. The Bell Ambulance breach is particularly serious because of the combination of data types that were exposed. Attackers didn’t just grab email addresses — they accessed records that touch nearly every dimension of a person’s identity.

Personal Identifying Information Exposed

The breach exposed core identifying information that is commonly used in identity theft schemes. This includes full names, Social Security numbers, and driver’s license numbers. These three data points alone are enough for a bad actor to open fraudulent accounts, apply for loans, or file false tax returns in a victim’s name.

Financial and Medical Records Compromised

Beyond personal identifiers, Bell Ambulance’s breach also compromised financial account information and protected health information (PHI), including health insurance details. Medical and financial data together create a dangerous combination — one that enables both insurance fraud and direct financial theft. Health insurance data in particular can be exploited to submit fraudulent medical claims, which can go undetected for months or even years. For organizations looking to bolster their defenses against such threats, exploring effective threat hunting tools can be a crucial step.

Why This Type of Data Is Especially Dangerous

When financial data is stolen, banks can freeze accounts and issue new cards. But Social Security numbers, medical histories, and health insurance IDs cannot simply be replaced. These are permanent identifiers that follow a person for life.

The fact that Medusa published all 219.50 GB of stolen data publicly means this information isn’t just in the hands of one criminal group — it’s now potentially circulating across dark web marketplaces and hacker forums. Victims face a long-term risk window, not just an immediate threat.

Healthcare organizations are among the most targeted sectors precisely because of the richness of the data they hold. A single patient record can contain enough information to commit multiple types of fraud simultaneously — medical fraud, financial fraud, and identity theft — making it far more valuable on criminal markets than a simple credit card number. For more insights into how these threats are tracked, explore how threat hunting tools can track down hidden threats.

Data Exposed in the Bell Ambulance Breach

Data Type Risk Level Potential Misuse

Full Name Medium Identity fraud, account takeover

Social Security Number Critical Tax fraud, loan applications, identity theft

Driver’s License Number High Synthetic identity creation, impersonation

Financial Account Information High Direct theft, fraudulent transactions

Protected Health Information Critical Insurance fraud, medical identity theft

Health Insurance Details High Fraudulent claims, benefit theft

Data Type	Risk Level	Potential Misuse
Full Name	Medium	Identity fraud, account takeover
Social Security Number	Critical	Tax fraud, loan applications, identity theft
Driver’s License Number	High	Synthetic identity creation, impersonation
Financial Account Information	High	Direct theft, fraudulent transactions
Protected Health Information	Critical	Insurance fraud, medical identity theft
Health Insurance Details	High	Fraudulent claims, benefit theft

How the Bell Ambulance Breach Unfolded

Understanding the timeline of this breach matters — both for appreciating the severity of the attack and for recognizing why early notification to victims took as long as it did. Ransomware attacks of this scale don’t happen overnight, and neither does the investigation that follows.

The Medusa ransomware gang is known for a double-extortion approach: they encrypt a victim’s data to disrupt operations and simultaneously exfiltrate it to use as leverage. If the ransom isn’t paid, the stolen data gets published. That’s exactly what happened here.

February 13, 2025: Unauthorized Network Access Detected

On February 13, 2025, Bell Ambulance identified suspicious and unauthorized activity within its internal network. The organization moved quickly to bring in third-party cybersecurity forensic experts to contain the incident and begin a full investigation. This is standard protocol, but the complexity of determining exactly what was accessed — and whose data was involved — takes considerable time when dealing with a breach of this magnitude.

Forensic investigators had to comb through Bell Ambulance’s systems to identify which files were accessed, which were copied, and which individuals’ records were included. In cases involving ransomware actors like Medusa, attackers often move laterally through a network over days or weeks before triggering the final encryption payload — meaning the window of data exposure can be wider than the moment of detection suggests.

The timeline between detection (February 13) and first public disclosure (April 14) reflects the complexity of that investigation. While a two-month gap may seem long to those waiting for answers, large-scale healthcare breaches routinely involve this kind of delay due to the sheer volume of records requiring review.

February 13, 2025: Unauthorized network access detected by Bell Ambulance
February–April 2025: Third-party forensic investigation conducted
March 2025: Medusa ransomware gang publicly claims responsibility for the attack
April 14, 2025: Bell Ambulance makes first public disclosure, citing ~114,000 affected individuals
Post-April 2025: Continued investigation expands confirmed victim count to 237,830
Medusa’s action: Publishes 219.50 GB of stolen data after ransom goes unpaid

Forensic Investigation and Findings

Once Bell Ambulance engaged third-party cybersecurity specialists, the forensic team worked to determine the full scope of what the attackers accessed. Investigators confirmed that protected health information had been exfiltrated from Bell Ambulance’s systems — meaning the data wasn’t just viewed, it was taken. The investigation also identified the specific categories of data involved, which spanned personal identifiers, financial account details, medical records, and health insurance information.

Why the Final Victim Count Nearly Doubled From 114,000 to 237,830

When Bell Ambulance first disclosed the breach in April 2025, the initial victim count stood at approximately 114,000. That number reflected the records identified at the early stages of the forensic review. As investigators continued their analysis — examining additional systems, file servers, and data repositories — more compromised records surfaced, ultimately pushing the confirmed total to 237,830 individuals.

This expansion is a pattern seen repeatedly in large healthcare ransomware cases. Attackers like Medusa don’t limit their access to a single database — they move through networks systematically, collecting data from multiple locations. Early estimates capture the most obvious exposure points, while the full picture only emerges after weeks of deeper analysis. For victims, this means that even people who didn’t receive an initial notification letter may later discover their data was included.

Bell Ambulance’s Response to the Breach

After confirming the breach and completing the forensic review, Bell Ambulance began the process of notifying affected individuals and taking steps to address the security gaps exposed by the attack. The organization’s response followed a pattern common to HIPAA-regulated entities — containment, investigation, notification, and remediation.

Immediate Security Actions Taken

Bell Ambulance engaged third-party cybersecurity forensic specialists immediately upon detecting the unauthorized access on February 13, 2025. The organization worked to contain the intrusion, assess the damage, and secure its systems against further unauthorized access. While the specific technical remediation steps taken have not been publicly detailed, standard protocol in these situations includes isolating compromised systems, resetting credentials, patching vulnerabilities, and implementing enhanced network monitoring to detect any residual threat actor activity.

12 Months of Free Credit Monitoring Offered

Bell Ambulance is offering affected individuals 12 months of complimentary credit monitoring services as part of its breach response. This is a standard remediation offering in data breach cases, but it’s important to understand both its value and its limitations. Credit monitoring alerts you when new accounts are opened in your name or when significant changes appear on your credit report — but it does not prevent fraud from occurring. It also does not cover medical identity theft, which is one of the most serious risks in this particular breach given the nature of the data exposed.

What Affected Individuals Should Do Right Now

If your data was exposed in the Bell Ambulance breach, time matters. The Medusa ransomware gang has already published the stolen data publicly, which means your information could be actively circulating among bad actors right now. Don’t wait for fraud to appear before you act — the steps below are preventative measures that significantly reduce your risk.

1. Check If You Received a Notification Letter

Bell Ambulance is required under HIPAA to notify affected individuals by mail. If you or a family member have used Bell Ambulance services and received a letter from the organization in 2025, treat it seriously. The letter will include details about what specific information of yours was compromised and instructions on how to enroll in the free credit monitoring. If you believe you were a patient or had contact with Bell Ambulance but haven’t received a letter, you can contact the organization directly to inquire about your status.

2. Enroll in the Free Credit Monitoring Immediately

Don’t let the free credit monitoring offer go unused. Bell Ambulance’s notification letter will contain instructions for enrollment, including an activation code and a deadline to sign up. Enroll as soon as possible — even if you don’t currently see any suspicious activity. Credit monitoring provides an early warning system that can catch fraudulent account openings before they spiral into larger problems. Twelve months of coverage gives you a meaningful window of protection during the highest-risk period following the breach.

3. Place a Fraud Alert or Credit Freeze

A fraud alert requires lenders to take extra steps to verify your identity before opening new credit accounts in your name. You only need to contact one of the three major credit bureaus — Equifax, Experian, or TransUnion — to place a fraud alert, and that bureau is required to notify the other two. A fraud alert is free and lasts one year.

A credit freeze is a stronger measure. It completely restricts access to your credit report, making it nearly impossible for anyone — including you — to open new credit accounts until the freeze is lifted. Given that Social Security numbers and driver’s license numbers were exposed in this breach, a credit freeze is worth serious consideration. You’ll need to contact all three bureaus separately to freeze your credit, but the process is free and can be done online in minutes. You can temporarily lift the freeze whenever you need to apply for credit yourself.

4. Monitor Financial and Medical Statements Closely

Review your bank statements, credit card statements, and Explanation of Benefits (EOB) documents from your health insurer carefully over the next 12 to 24 months. Watch for charges you don’t recognize, medical procedures you never received, or prescriptions you never filled. Medical identity theft is particularly insidious because it can affect your actual medical records — leading to incorrect information about your health being on file, which can have real consequences if you seek care in the future. Report any unfamiliar activity to your financial institution or health insurer immediately.

5. Report Any Suspicious Activity to the FTC

If you discover that your information has been misused — fraudulent accounts opened, unauthorized charges, or suspicious medical claims filed in your name — report it to the Federal Trade Commission at IdentityTheft.gov. The FTC’s identity theft reporting tool creates a personalized recovery plan and generates official documentation you can use when disputing fraudulent accounts with creditors or financial institutions. You can also file a report with your local law enforcement, which provides an additional paper trail that can be critical for resolving identity theft cases. For more insights on protecting yourself, consider effective threat hunting tools to enhance your security measures.

Healthcare Providers Remain a Prime Ransomware Target

The Bell Ambulance breach didn’t happen in a vacuum — it’s part of a relentless pattern of ransomware attacks targeting the healthcare sector specifically because of what healthcare organizations store and how difficult it is for them to absorb operational disruption.

Why the Healthcare Sector Is Repeatedly Attacked

Healthcare organizations hold an extraordinary density of sensitive data. A single patient record can contain a name, address, Social Security number, insurance details, financial account information, and detailed medical history — all in one place. That combination is worth significantly more on criminal markets than isolated financial data alone. Ransomware groups like Medusa specifically target sectors where the data richness is high and the operational pressure to restore systems quickly is intense.

Emergency medical services providers like Bell Ambulance face an even sharper version of this pressure. When an ambulance service’s systems go down, the consequences aren’t just financial — they can directly affect patient care and emergency response. Attackers understand this, and they use it as leverage. The combination of high-value data and high operational vulnerability makes healthcare one of the most consistently targeted industries in the ransomware landscape.

The Medusa Ransomware Gang’s Track Record

Medusa is a ransomware-as-a-service operation that has been active and increasingly aggressive. The group employs a double-extortion model: they encrypt victims’ data to force operational chaos while simultaneously exfiltrating it to use as ransom leverage. If payment is not made, they publish the stolen data — which is exactly what occurred in the Bell Ambulance case. Medusa has targeted hospitals, school systems, and critical infrastructure organizations across multiple countries, demonstrating both the technical capability and the willingness to cause broad public harm in pursuit of financial gain.

The Bell Ambulance Breach Is a Warning for Healthcare Security

The Bell Ambulance breach is a clear signal that no healthcare organization — regardless of size or sector focus — is outside the crosshairs of sophisticated ransomware groups. Emergency medical services providers, in particular, need to treat cybersecurity with the same urgency they apply to physical emergency response. For the 237,830 people whose data was exposed, the attack is not an abstract cybersecurity story — it’s a real and ongoing threat to their financial stability, medical privacy, and personal identity. The fact that Medusa published 219.50 GB of stolen data publicly means that threat doesn’t have an expiration date. Affected individuals must remain vigilant well beyond the 12-month credit monitoring window Bell Ambulance has offered.

Frequently Asked Questions

If you’re trying to understand what happened, whether you’re affected, and what your options are, these answers cover the most critical questions surrounding the Bell Ambulance data breach.

Was Bell Ambulance hacked or was it a ransomware attack?

It was a ransomware attack. The Medusa ransomware gang infiltrated Bell Ambulance’s network, exfiltrated 219.50 GB of sensitive data, and then published it publicly after Bell Ambulance allegedly declined to pay the ransom. For organizations looking to bolster their defenses against such attacks, effective threat hunting tools can be invaluable in identifying and mitigating potential threats.

Attackers gained unauthorized access to Bell Ambulance’s internal network
They copied and removed sensitive data before triggering encryption
Bell Ambulance did not pay the ransom demand
Medusa published the stolen data publicly — 219.50 GB in total
The stolen data now potentially circulates across dark web forums and criminal marketplaces

This distinction between a standard hack and a ransomware double-extortion attack matters enormously for victims. In a typical breach, stolen data may be held privately and used selectively. In a double-extortion ransomware event where the data is published, the exposure is broader and the risk window extends indefinitely.

The Medusa group’s decision to publish the data publicly means that multiple criminal actors — not just the original attackers — potentially have access to the information of all 237,830 affected individuals. Each one of those actors represents a separate risk vector for identity theft, financial fraud, and medical identity theft.

How do I know if my data was included in the Bell Ambulance breach?

Bell Ambulance is required under HIPAA to send written notification to all individuals whose protected health information was compromised. If you have received — or receive — a notification letter from Bell Ambulance, your data was confirmed to be part of the breach. If you used Bell Ambulance’s services at any point and have not received a letter but are concerned, contact Bell Ambulance directly to verify your status. Because the victim count grew from 114,000 to 237,830 during the investigation, some individuals may have been notified in later waves of outreach rather than the initial round.

What should I do if I receive a breach notification letter from Bell Ambulance?

Read the letter carefully and take action immediately. The letter will specify exactly which categories of your data were involved — this matters because the risk profile for someone whose Social Security number was exposed differs from someone whose records contained only a name and address. Follow the enrollment instructions for the 12 months of free credit monitoring included in the offer, and do not ignore the enrollment deadline.

Beyond enrolling in the free credit monitoring, place a credit freeze with all three major bureaus — Equifax, Experian, and TransUnion — and set up a fraud alert. Begin reviewing your financial statements and health insurance Explanation of Benefits documents for any unfamiliar activity. If you notice anything suspicious, report it to the FTC at IdentityTheft.gov and contact your financial institution or health insurer right away. Acting quickly in the weeks immediately following notification gives you the best chance of intercepting fraud before it escalates. For more on enhancing your security measures, explore effective threat hunting tools.

Why did it take so long to notify all 238,000 affected individuals?

Bell Ambulance detected the breach on February 13, 2025, but the first public disclosure didn’t come until April 14, 2025 — approximately two months later. The final victim count of 237,830 represents an even later determination, as the initial disclosure cited roughly 114,000 affected individuals. This kind of delay is common in large-scale healthcare ransomware investigations and is not necessarily a sign of negligence on the organization’s part.

Forensic investigators must comb through every affected system, database, and file repository to determine precisely which records were accessed or exfiltrated. In a complex network environment where attackers like Medusa move laterally across multiple systems over an extended period, that process is time-consuming and technically demanding. HIPAA requires covered entities to notify affected individuals within 60 days of discovering a breach — a window that reflects the reality of how long thorough forensic investigations take. The expansion from 114,000 to 237,830 victims reflects the discovery of additional compromised records during deeper rounds of forensic analysis.

Can I take legal action against Bell Ambulance for the data breach?

Potentially, yes. Data breach victims in the United States have pursued class action lawsuits against healthcare organizations following significant breaches, particularly when the compromised data included protected health information governed by HIPAA. Whether a viable legal claim exists in a specific case depends on factors including what data was exposed, what harm you’ve experienced or can demonstrate, and whether Bell Ambulance can be shown to have failed to implement reasonable cybersecurity safeguards.

Several law firms that specialize in data breach litigation have already been monitoring the Bell Ambulance breach, as is common with incidents of this scale. If you’ve received a notification letter, you may be contacted by attorneys about potential class action participation. Before agreeing to join any legal action, it’s advisable to consult independently with a data privacy attorney who can assess the strength of your specific claim.

Regardless of whether legal action materializes, documenting your experience is important. Keep any notification letters you receive, record the dates and nature of any fraudulent activity you discover, save all correspondence with financial institutions or insurers about suspicious charges, and retain receipts for any costs you incur as a direct result of the breach — such as fees for credit monitoring or identity recovery services. This documentation forms the foundation of any future legal or regulatory complaint.