235,000 affected by cyberattack on largest ambulance provider in Wisconsin

A prominent ambulance service in Milwaukee confirmed that hackers targeted their systems last year and stole sensitive information on more than 235,000 people. 

Bell Ambulance, which is the largest ambulance provider in the state of Wisconsin, filed breach notifications in Maine this week confirming that 237,830 people had information impacted by a data breach discovered in February 2025. 

The company said Social Security numbers, driver’s license numbers, financial accounts, medical information and health insurance information was stolen during the cyberattack. 

According to letters sent to victims, Bell Ambulance became aware of the attack on February 13, 2025 and hired cybersecurity experts to assist with the recovery effort. The company began notifying some who were affected in April 2025 but more victims were discovered throughout the fall.  

The company has stations across Milwaukee, Wauwatosa, Waukesha, Racine, Mount Pleasant, Kenosha and other cities across Wisconsin. Their more than 750 employees handle about 140,000 ambulance calls each year. 

The attack on Bell Ambulance was claimed at the time by the Medusa ransomware gang, which demanded a $400,000 ransom in exchange for the 219 GB of data that was stolen. 

One month after the Bell Ambulance incident, the FBI and several U.S. law enforcement agencies released an urgent advisory about the ransomware gang’s attacks on critical infrastructure organizations across the U.S. 

The group targeted governments and healthcare facilities in Minnesota, Illinois and Texas as well as car racing league NASCAR. 

According to the 2025 FBI alert, the ransomware-as-a-service group emerged in June 2021 and was responsible for more than 300 attacks on critical infrastructure organizations that included medical companies, manufacturing firms and more. 

The FBI warned that during one investigation, the group conducted a triple extortion scheme, where after paying the ransom to one alleged member of Medusa, another actor from the group claimed the payment was stolen and demanded the same ransom in exchange for the ‘true decryptor.’