Superior Air-Ground Ambulance recently reported a large breach.
What happened
Superior Air-Ground Ambulance is an Illinois-based communication center and service provider that operates in Illinois, Indiana, Michigan, Ohio, and Wisconsin.
The company assists in emergency medical dispatch and flight coordination, fielding approximately 2,700 daily and transferring approximately 1,000 patients to medical facilities daily.
The service provider recently reported a large data breach, which they estimate impacted 858,238 individuals. The breach is listed on the Department of Health and Human Services (HHS) website as a hacking incident on the company’s network server.
Going deeper
The company reported the data breach on May 10th, 2024, and recently began sending notices to impacted patients.
Uniquely, however, is that the breach took place over a year ago, in May of 2023. Superior Air-Ground Ambulance said they were alerted of the incident in the same month and promptly began an investigation. That investigation concluded on June 23, 2023.
The organization determined that an unauthorized actor had copied certain files from the network between May 15th and May 23, 2023. The service provider went on to review the affected files.
Impacted information varies by person but may include: names, addresses, dates of birth, Social Security numbers, driver’s license or state identification numbers, financial account information, payment card information, patient record information, medical diagnosis or condition information, medical treatment information, and health insurance information.
What was said
According to their notice, Superior’s comprehensive review of the affected files was “time-intensive,” and the company also worked hard to determine contact information for impacted individuals. They are now beginning to provide formal notice.
The company said, “Superior views its responsibility to safeguard information in its possession as an utmost priority…Superior has been working diligently to provide potentially affected individuals with accurate and complete notice and guidance on how to better protect personal information.”
The company shared they are also reviewing policies and implementing additional security procedures.
What’s next
The company shared little regarding the delay in reporting or sending patient notifications. According to HIPAA regulations, companies must notify the HHS within 60 days of discovering a data breach. Despite the relatively prompt turnaround, it’s common for healthcare organizations to spend months investigating the incidents.
Nevertheless, the service provider is already facing backlash for the delay. Multiple law firms are investigating the incident and a class action lawsuit is possible.
The big picture
Attacks on critical infrastructure like ambulance services can be particularly devastating. In major instances, like the 2023 attack on Ardent Health, it can lead to diverted services or delays in care.
Superior was able to continue operations and serve patients. While Superior was lucky in that sense, they aren’t out of the woods yet. Breaches like these can be costly, time-consuming, and harmful to an organization’s reputation. It’s one of many reasons to prioritize data security at all times.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
