What You Need to Know about the Bell Ambulance Data Breach

Bell Ambulance, Inc. is the largest ambulance service provider in Wisconsin, headquartered in Milwaukee. Founded in 1977, the company operates a fleet of 86 ambulances from 11 stations and employs more than 750 medical professionals who respond to approximately 140,000 service calls annually throughout Milwaukee, Waukesha, and Racine counties in Southeastern Wisconsin.

The company provides Basic Life Support, Advanced Life Support, and Critical Care transport services. As Wisconsin's largest provider of Critical Care Paramedic transport and a certified participant in the City of Milwaukee's 911 emergency medical services system, Bell Ambulance is an essential component of the region's emergency response infrastructure.

In February 2025, Bell Ambulance fell victim to a ransomware attack that exposed the sensitive information of 237,830 individuals. The Medusa ransomware group stole approximately 219 gigabytes of data, including names, Social Security numbers, dates of birth, driver's license numbers, financial account information, medical records, and health insurance details. Medusa demanded a $400,000 ransom and threatened to publish the data within seven to eight days. When Bell Ambulance apparently did not pay, Medusa publicly released the stolen data on the dark web.

The breach investigation took nearly a full year to complete. Bell Ambulance discovered the unauthorized access on February 13, 2025, but did not complete its review until February 20, 2026. The company notified affected individuals in waves: April 18, 2025, January 15, 2026, and March 9, 2026. Bell Ambulance is offering affected individuals 12 to 24 months of complimentary credit monitoring and identity theft protection services.

When Was the Bell Ambulance Data Breach?

According to notification letters filed with the Maine Attorney General's Office, unauthorized individuals had access to Bell Ambulance's network between February 7 and February 14, 2025. This seven-day window gave attackers time to infiltrate systems, identify valuable data, and exfiltrate approximately 219 gigabytes of sensitive information.

Bell Ambulance became aware of unauthorized activity on February 13, 2025. The company sent a message to employees acknowledging IT system disruptions. The message stated the disruption was greatly impacting employees' ability to perform job functions. Officials said they were investigating but it was too early to share details. Bell Ambulance immediately engaged third-party forensic specialists to investigate.

On March 2, 2025, the Medusa ransomware group publicly claimed responsibility on their dark web leak site. The group announced they had exfiltrated 219.50 gigabytes of data and demanded $400,000 ransom. Medusa gave Bell seven to eight days to pay or face public release of all stolen data. The group provided sample screenshots to prove they had legitimate sensitive information.

Bell Ambulance publicly disclosed the breach on April 14, 2025, approximately two months after discovery. The company began sending notification letters to the first group on April 18, 2025, reporting 114,000 affected individuals to the Department of Health and Human Services. However, the data review continued throughout 2025.

On January 15, 2026, nearly a full year after the breach, Bell sent notifications to additional affected individuals. The review was finally completed on February 20, 2026, revealing the total was actually 237,830 individuals—more than double the initially reported figure. Additional notification letters were mailed on March 9, 2026. Medusa's publication of the stolen data indicates Bell did not pay the ransom.

How to Check If Your Data Was Breached

If you have ever used Bell Ambulance's services for emergency or non-emergency medical transport in Wisconsin, or if you were a patient at a healthcare facility that used Bell Ambulance for transport, your information may have been compromised. Here's how to verify:

• Check your mail for notification letters from Bell Ambulance sent in April 2025, January 2026, or March 2026. The letters include details about the breach, information about what data was compromised, and instructions for enrolling in complimentary credit monitoring and identity protection services.
• Visit Bell Ambulance's dedicated data security incident page at 264bell.com/data-security-incident for information about the breach and steps you can take to protect yourself.
• Check the Department of Health and Human Services data breach portal at hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting and search for Bell Ambulance to see the official breach report showing 237,830 affected individuals.
• Contact Bell Ambulance directly if you believe you may have been affected but have not received notification. Since the company continued identifying additional affected individuals throughout 2025 and into 2026, it's possible some people have not yet been notified.
• Review your medical records and billing statements from any healthcare facilities in Milwaukee, Waukesha, or Racine counties where you received treatment between 2020 and early 2025. If Bell Ambulance transported you to or from these facilities, your information was likely in their system.

What to Do If Your Data Was Breached

If you received a notification from Bell Ambulance, take immediate protective action:

• Enroll in the complimentary credit monitoring and identity theft protection services. The notification letters included enrollment codes for 12 or 24 months of free credit monitoring, depending on the sensitivity of your exposed data. These services can alert you to new accounts opened in your name and other suspicious activity. Do not delay enrollment; these offers typically have expiration deadlines.
• Place fraud alerts on your credit reports immediately. Contact one of the three major credit bureaus to place a fraud alert, and they will notify the other two. These alerts are free, last for one year, and can be renewed. For maximum protection, consider placing a credit freeze, which completely prevents anyone from accessing your credit file to open new accounts.
• Monitor all your financial accounts closely. The exposure of financial account information plus Social Security numbers creates significant risk for both identity theft and direct financial fraud. Review statements regularly and set up account alerts for immediate notifications of transactions, login attempts, or account changes.
• Be vigilant about medical identity theft. Review all explanation of benefits statements from your health insurance company carefully. Look for medical services you did not receive, claims from providers you've never visited, or charges for medications you never had. Medical identity theft can exhaust your coverage limits and corrupt your medical records.
• Watch out for phishing attempts. Criminals may use your information to craft convincing emails, texts, or phone calls. Never provide personal information in response to unsolicited communications. If someone claims to represent a legitimate organization, hang up and call back using an official number from the organization's website.
• File your tax returns early. Tax-related identity theft is extremely common. By filing early in the tax season, you minimize the window for criminals to file fraudulent returns in your name. If the IRS rejects your return because one was already filed under your Social Security number, contact the IRS Identity Protection Specialized Unit immediately.

Are There Any Lawsuits Because of the Data Breach?

Yes. Multiple law firms are actively investigating class action lawsuits. As of March 2026, Edelson Lechtzin LLP has publicly announced it is investigating data privacy claims against Bell Ambulance and seeking to file a class action lawsuit on behalf of affected individuals.

Additional law firms, including ClassAction.org and other consumer protection attorneys, have also announced investigations. While no class action lawsuits have been formally filed as of early March 2026, the size of the breach affecting nearly 238,000 individuals, the highly sensitive nature of the exposed data, and the year-long investigation timeline make litigation highly likely.

Potential legal claims could allege Bell Ambulance failed to implement adequate cybersecurity measures to protect sensitive patient information from ransomware attacks. The Medusa ransomware group is well-known, and the FBI has issued warnings about this group's tactics. Plaintiffs' attorneys may argue Bell should have implemented stronger security controls.

The year-long investigation timeline could also become a focus. While Bell discovered the breach in February 2025 and began notifying some individuals in April 2025, the company continued identifying additional victims throughout the year and did not complete its investigation until February 20, 2026. This raises questions about data inventory and management practices.

If lawsuits are successful, affected individuals could potentially recover compensation for 

• Increased lifetime identity theft risk, 
• Credit monitoring costs beyond the complimentary period, 
• Time spent dealing with identity theft, 
• Out-of-pocket losses, and 
• Emotional distress from knowing their information is on the dark web.

Can My Bell Ambulance Information Be Used for Identity Theft?

Yes, absolutely. The Bell Ambulance breach exposed an extremely comprehensive set of personal identifiers. Criminals now have a complete identity theft toolkit for each victim. The combination of names, Social Security numbers, dates of birth, driver's license numbers, financial account information, medical records, and health insurance details creates virtually unlimited opportunities for fraud.

With your Social Security number and date of birth, criminals can open credit cards, apply for loans, obtain mortgages, and apply for government benefits in your name. Driver's license numbers provide the specific identification needed to pass many verification processes. If your financial account information was included, criminals have direct access to your banking details and can attempt unauthorized transactions.

Medical identity theft is an especially serious concern. Criminals can use your health insurance information to obtain expensive medical procedures, prescription drugs, or medical equipment in your name. These fraudulent claims can exhaust your coverage limits and corrupt your medical records with someone else's health information, potentially leading to incorrect diagnoses or dangerous treatments.

The fact that Medusa published the stolen data on the dark web makes this breach particularly dangerous. Unlike breaches where data remains with the original attackers, published data can be downloaded by countless criminals worldwide. Your information may be sold and resold on underground marketplaces for years, with different criminals using it for different types of fraud. The risk from this breach is permanent; you will need to remain vigilant for life.

What Can You Do to Protect Yourself Online?

The Bell Ambulance breach highlights the vulnerability of healthcare sector data. Here are essential steps to protect yourself:

• Implement comprehensive credit monitoring for the long term. While Bell offers 12 to 24 months of complimentary monitoring, your risk extends far beyond that. Consider continuing with paid credit monitoring services after the free period ends.
• Consider obtaining an Identity Protection PIN from the IRS. This six-digit number provides additional security for tax filings and can prevent criminals from filing fraudulent tax returns even with your Social Security number. Request an IP PIN through irs.gov.
• Review your medical records annually. Request copies from all healthcare providers and review carefully for any services, diagnoses, or treatments you don't recognize. Errors from medical identity theft can persist for years.
• Monitor your Social Security Administration account regularly. Create an account at ssa.gov to review your earnings history and watch for signs someone else is working under your Social Security number.
• Be cautious when sharing medical information. Before providing health information to any provider, app, or service, verify their identity and security practices.
• Set up comprehensive account alerts. Configure text or email notifications for all financial accounts, credit cards, medical providers, and insurance companies for real-time fraud detection.
• Use unique, strong passwords for all healthcare portals. Never reuse passwords across different medical websites. Enable two-factor authentication on all healthcare accounts that support it.

The Bell Ambulance ransomware attack demonstrates that even essential emergency services are vulnerable to sophisticated cyber attacks. The exposure of 237,830 individuals' comprehensive information creates a permanent identity theft risk. The publication of this data on the dark web means it will remain available to criminals indefinitely, making long-term protective measures essential.