A now-defunct ambulance service in Boston has suffered a data breach that compromised the personal information of nearly 1 million US individuals.
Transformative Healthcare last week sent out breach notifications letters, explaining that a company it purchased in 2018, Fallon Ambulance Services, has suffered a data breach.The company, which provided ambulance services to hospitals in the Boston area, ceased operation in December 2022.
The company was still required to keep an archived copy of data that it previously stored on its computer systems for legal reasons, according to Transformative Healthcare. Then, in April last year, hackers accessed the data storage archive, containing Social Security numbers, names, addresses, vaccination information, COVID-19 testing, medical information, and even employment information.
“On or around April 21, 2023, after Fallon had ceased operations, it detected suspicious activity within its data storage archive. Fallon promptly took steps to secure the archive and initiated a comprehensive investigation into the matter with the assistance of third-party specialists,” Transformative Healthcare said in the letter sent to the Maine Attorney General’s Office.
According to the company, “the activity appears to have occurred as early as February 17, 2023 through April 22, 2023 and that files were obtained by an unauthorized party that may have contained personal information.”
Fallon then began an assessment of the affected files to determine what type of information the hackers may have compromised and to track down the contact information of former consumers whose information was on the files. This process ended around December 27, 2023, at which point, Transformative Healthcare started sending out breach notification letters to all 912,000 affected individuals.
The company noted that there’s no evidence of identity theft or fraud in relation to the cyberattack, it’s now offering two years of free identity protection services to those who were impacted.
National consumer rights law firm Wolf Haldenstein Adler Freeman & Herz LLP later said in its own notice that it’s looking into the situation on behalf of former patients whose information may have been compromised as a result of the data breach.
“If you have received a recent notice of the data breach and have experienced recent concerning activity, it is possible that your personal medical information was compromised and is being offered for sale on the dark web,” the company said.