Milwaukee’s largest private ambulance provider is dealing with a cyber mess of its own. Bell Ambulance confirmed this week that a ransomware attack first spotted in February 2025 exposed personal and medical records for roughly 237,830 people. The Medusa ransomware group quickly claimed the hit, boasting that it had swiped hundreds of gigabytes of data and demanding a payout. Bell says it has since locked down its systems, spent the past year combing through files, and is now finishing up notification letters to everyone it believes was caught in the blast radius.
How Bell Says the Hack Went Down
According to a public notice, Bell says it detected “unauthorized activity” on its network on February 13, 2025, then pulled in third‑party forensic specialists to figure out what happened and how bad it was.
“Importantly, there is no evidence to suggest that information has been, or will be misused at this time,” the company wrote. The internal review found that affected files could include names plus one or more of the following: dates of birth, Social Security numbers, driver’s license numbers, financial account details, and medical and insurance information.
Bell also lays out recommended next steps for anyone who gets a letter and says it has set up a dedicated assistance line to field questions, according to Bell Ambulance.
Ransomware Gang Takes a Bow, Feds Sound the Alarm
Cybersecurity outlets report that the Medusa ransomware group took responsibility for the attack in early March 2025, posting evidence that about 219 GB of data had been stolen and demanding roughly $400,000 to keep it under wraps. The group has been repeatedly flagged as a continuing headache for hospitals and other critical infrastructure.
The FBI and the Cybersecurity and Infrastructure Security Agency later put out a joint advisory that walks through Medusa’s playbook and extortion tactics in detail. For more on the group and its methods, see coverage from SecurityWeek and the advisory posted by CISA.
How Many People Are Being Notified
Bell told state regulators this week that its file review ultimately identified 237,830 people whose information may have been exposed. The company says notification letters were mailed as the investigation wrapped up on February 20, 2026.
Regulatory filings and related coverage indicate Bell is offering identity‑protection options and urging recipients to keep an eye out for suspicious activity or possible fraud. See The Record for timelines and the text of the notice.
What to Do if You Think You Are Affected
Bell’s notice repeats the standard playbook for data‑breach fallout: check explanation‑of‑benefits statements, monitor bank and credit‑card accounts, and consider placing a fraud alert or credit freeze with the major credit bureaus. It also points people to free annual credit reports and federal resources on handling identity theft.
For Bell’s contact information and details on the assistance line, see Bell Ambulance. Federal guidance on what to do if your identity is misused is available at IdentityTheft.gov.
What Regulators May Do Next
Breaches of this size almost always draw scrutiny under federal health‑privacy rules. The U.S. Department of Health and Human Services’ Office for Civil Rights reviews incidents that affect 500 or more people and can require corrective actions if investigators find security gaps or HIPAA violations. Details on large health‑data breaches are posted on the agency’s public portal at HHS OCR.
On the state side, attorney general notifications, such as the sample notices Bell filed in Maine, are a routine part of the disclosure process. Those filings can later feed into enforcement actions or fuel civil litigation, depending on what regulators uncover about a company’s security posture. For additional context on the Bell incident and HIPAA implications, see reporting in HIPAA Journal.
For now, Bell says operations are ongoing and its ambulances continue to serve the Milwaukee 911 system. Anyone who receives a notification letter is being urged to follow the company’s instructions, tap federal identity‑theft resources, and keep a close watch on their accounts.
