Wisconsin’s Biggest Ambulance Company Says Hack Exposed Data of 237,830 Patients

Bell Ambulance, the largest ambulance provider in Wisconsin, says a cyberattack exposed highly sensitive personal and medical data tied to 237,830 people, information that can fuel identity theft, financial fraud, and targeted scams.

The company detected the intrusion on Feb. 13, 2025, but the full scope took months to pin down. Patient notifications began in spring 2025 and continued in waves into March 2026 as investigators identified additional victims.

The ransomware group known as Medusa has claimed responsibility, demanding $400,000 in exchange for the stolen data and boasting it siphoned off 219 gigabytes, about 219 GB, of files.

What Bell Ambulance says happened

Bell Ambulance says it spotted “unauthorized activity” on its network on Feb. 13, 2025, and brought in outside cybersecurity specialists to contain the incident and determine what was accessed or copied.

That kind of forensic work can be slow and painstaking: investigators have to reconstruct a timeline, identify which servers were touched, figure out how attackers got in, and determine how long they stayed. In health care and emergency services, where systems handle dispatch records, billing, insurer communications, and patient details, a breach can involve both visible disruption and quiet data theft.

Bell isn’t a small-town operation. The company runs stations across the Milwaukee area and southeastern Wisconsin, including communities such as Wauwatosa, Waukesha, Racine, Mount Pleasant, and Kenosha. It handles roughly 140,000 calls a year and employs more than 750 people, scale that makes shutting down systems for long stretches far more complicated than it sounds.

What data was exposed, and why it matters

Bell says the stolen information may include Social Security numbers, driver’s license numbers, financial account details, and medical and health insurance information. That combination is especially valuable to criminals because it can support everything from opening new credit lines to filing fraudulent insurance claims.

Early assessments indicated protected health information was involved for about 114,000 people. Even when records don’t include a full medical history, details tied to an ambulance run, insurance identifiers, billing data, and treatment-related notes, can be deeply personal and can make scams more believable.

With a Social Security number and date of birth, fraudsters can attempt credit applications, change-of-address schemes, or other forms of identity takeover. Add insurance data and a reference to an ambulance transport, and criminals can craft convincing calls or emails posing as an insurer, a billing department, or a medical provider.

Bell says it offered affected individuals 12 or 24 months of credit monitoring and identity theft protection. Those services can help detect misuse, but they don’t erase the long-term risk, Social Security numbers don’t get swapped out like a credit card.

Medusa’s ransom demand: $400,000 and a claim of 219 GB stolen

The Medusa group publicly claimed the attack and tied it to a $400,000 ransom demand. The group also claimed it exfiltrated 219 GB of data, a figure meant to increase pressure by signaling it can leak files if the victim doesn’t pay.

U.S. authorities have described Medusa as a “ransomware-as-a-service” operation that emerged in 2021 and has been linked to hundreds of attacks, including against what the government considers critical infrastructure, sectors where downtime can quickly become a public safety issue.

Medusa’s claims don’t automatically confirm every technical detail; ransomware groups often hype numbers to strengthen their leverage. But Bell’s own disclosures about the categories of data involved and the number of people affected put the incident among the more serious health-related breaches.

Why notifications stretched from 2025 into March 2026

Bell began notifying some affected people in April 2025, then continued identifying additional victims through the fall. The company later cited key milestones in 2026, including additional identification work around Jan. 15, 2026, completion of its data review on Feb. 20, 2026, and another round of letters sent March 9, 2026.

For patients, that timeline can feel like a moving target. For investigators, it often reflects the reality of combing through backups, email systems, shared drives, and logs to determine exactly whose information was exposed, especially in complex networks that have grown over years.

Bell’s breach notifications were also filed with the Maine Attorney General, part of a common U.S. compliance process in which companies submit standardized disclosures to state regulators. Those filings often become the clearest public record of how many people were affected and what types of data were involved.

Emergency services are becoming prime targets

Ransomware gangs increasingly target organizations that can’t afford to pause operations. Ambulance providers sit near the top of that list: dispatch, scheduling, hospital coordination, and billing all depend on digital systems, and disruptions can force staff onto slower, error-prone workarounds.

Even when a breach is framed primarily as a data theft event, the operational pressure is always in the background. The bigger implication is that cyberattacks on emergency medical services aren’t just a privacy problem, they’re a public safety risk that can ripple through local health systems.