Nearly 1 million affected by ambulance service data breach

Nearly one million people were affected by a data breach at a Massachusetts-based healthcare company last spring.

Last week, Transformative Healthcare informed regulators in several U.S. states as well as the Department of Health and Human Services about a data breach that took place in April 2023.

The company is contracted by hospitals and healthcare facilities to provide logistics services and other programs.

In breach notification letters sent out on December 27, Transformative Healthcare explained that the breach was related to Fallon Ambulance Services — a company it purchased in 2018. The company provided ambulance services to hospitals in the Boston area but ceased all operations in December 2022.

For legal reasons, the company was still required to maintain an archived copy of data previously stored on its computer systems, Transformative Healthcare said.

“On or around April 21, 2023, after Fallon had ceased operations, it detected suspicious activity within its data storage archive. Fallon promptly took steps to secure the archive and initiated a comprehensive investigation into the matter with the assistance of third-party specialists,” the company said, noting that federal law enforcement was involved in the investigation.

Fallon determined that the activity began as early as February 17 and lasted through April 22 “and that files were obtained by an unauthorized party that may have contained personal information.”

After completing the investigation on December 27, the company determined that the personal information of nearly 912,000 people was accessed.

The type of information accessed includes names, addresses, Social Security numbers, medical information, including COVID-19 testing or vaccination information, and information provided to Fallon in connection with employment or application for employment.

The company is offering victims two years of free identity protection services.

After Transformative Healthcare sent out the breach notification letters, national consumer rights law firm Wolf Haldenstein Adler Freeman & Herz LLP published its own notice saying it is investigating claims on behalf of former patients whose information may have been stolen as part of a recent data breach.

“If you have received a recent notice of the data breach and have experienced recent concerning activity, it is possible that your personal medical information was compromised and is being offered for sale on the dark web,” they said.