Westchester EMS Provider Hacked in One of the Largest U.S. Healthcare Ransomware Attacks of 2022

Written By: Robert Cox

Data breach impacts 318,558 Patients in Westchester and New York City

NEW ROCHELLE, NY (September 22, 2022) — The HIVE ransomware group has taken credit for a data breach of Empress EMS based in the City of Yonkers, NY and owned by PatientCare EMS Solutions, based in Tyler, TX. PatientCare EMS Solutions is portfolio company of Alvarez & Marsal Capital, a private equity investment firm based in Greenwich, CT.

In public statements, Empress EMS has dramatically underestimated the scope of the attack.

According to the Alvarez & Marsal Capital website:

Empress Ambulance Service is a provider of emergency and non-emergency ambulance services including advanced life support and basic life support services to municipalities and hospital systems across New York’s Westchester County. Additionally, Empress operates significant ambulance services in the Bronx and Manhattan boroughs.

PatientCare is a leading provider of ground-based 911 emergency ambulance services and other critical healthcare logistics solutions. Headquartered in Tyler, Texas, the company operates growing partnerships with representative customers in Florida, Texas, Indiana, California, South Dakota, Mississippi and New York. PatientCare is responsible for transporting more than 350,000 patients annually.

Hive ransomware group “started their ransomware attacks in June 2021 and quickly drew the attention of law enforcement due to a wide range of target industries, most notably healthcare. Hive ransomware uses the Ransomware-as-a-Service model and double extortion method. If a victim fails to pay the ransom, Hive operators release the exfiltrated data on Hive’s Data Leak Sites.”

Under the Health Information Technology Act, healthcare organizations must report breaches affecting more than 500 people to the U.S. Department of Health and Human Services.

On September 9, 2022 Empress EMS contacted the U.S. Department of Health and Human Services to report an incident that affected 318,558 patients, making it one of the largest data breaches of a healthcare organization in the United States so far this year.

Top 20 HHS HITECH Act Reporting Database (as of 9/15/22)

Also on September 9, 2022, Empress EMS sent letters to affected patients.

Empress

Emergency Medical Services

September 9, 2022

Dear —

At Empress EMS, we are committed to protecting the privacy and security of our patients’ information. Regrettably, we recently identified and addressed a cybersecurity incident involving some of that information. This letter explains the incident, measures we have taken, and some steps you may consider taking in response.

What Happened? On July 14, 2022, we identified a network incident resulting in the encryption of some of our systems. We took measures to contain the incident, reported it to law enforcement, and we conducted a thorough investigation with the assistance of a third-party forensic firm. Our investigation determined that an unauthorized party first gained access to certain systems on our network on May 26, 2022, and then copied a small subset of files on July 13, 2022.

What Information Was Involved? Many of the impacted files were used by Empress EMS for billing purposes, and our review identified documents containing your name, Social Security number, dates of service, and the name of your insurer, if on file with Empress EMS.

What We Are Doing and What You Can Do. In an abundance of caution, we are offering you a free 12-month membership to Experian Identity Works$M Credit 3B. This product helps detect possible misuse of your personal information and provides you with credit and identity protection services focused on immediate identification and resolution of identity theft. Enrolling in this program will not affect your credit score. For more information on Experian IdentityWorks™M, including instructions to enroll in your free membership, please see the pages that follow this letter.

We value the trust our community places in Empress EMS, and we regret any inconvenience or concern this incident may cause you and your family. We are implementing new network security measures and providing additional training to our employees to help prevent something like this from happening in the future.

For More Information. If you have any questions about this incident, please call our dedicated assistance line at 844-690-1251, Monday through Friday, 9:00 a.m. and 9:00 p.m., Eastern Standard Time, excluding major U.S. holidays.

Sincerely,

Hanan Cohen

Director of Corporate Development and Compliance

EDITOR’S NOTE: I called the main line at Empress EMS, identified myself as a reporter and asked if they could connect me to a media relations contact. With a heavy sigh, the woman who answered said she would connect me then transfer me to a MITEL voice mail box with no name. I left a voicemail message. I called the “incident line” from the letter, identified myself as a reporter and asked if they could connect me to a media relations person. They could but did take a message to pass along.

Empress EMS posted a security notice about the breach on its website. According to the security notice, an unauthorized individual gained access to their system on May 26 and copied a “small subset of files” on July 13. On July 14, Empress “identified a network incident resulting in the encryption of some of our systems.”

Databreaches.net has a more comprehensive and detailed account of the incident which is ongoing in that the data has not been published online but may still be distributed online or otherwise be made public.

Visit their excellent reporting for full details.

According to DataBreaches, Hive contacted Empress EMS on July 14 and 15 by email as opposed to the Empress claim that they “identified a network incident resulting in the encryption of some of our systems.”

Empress told patients on September 9, “we took measures to contain the incident” but the HIVE emails state the incident took place on May 26, lasted almost two weeks and by the time Empress EMS was told of the hack on July 14, the damage was already done. There was nothing to contain.

Hive told Empress on July 14:

! ! ! DO NOT TRY TO DECRYPT OR CHANGE ENCRYPTED FILES ON YOUR COMPUTERS, IT WILL COMPLETELY DESTROY THEM ! ! !

Ladies and gentlemen! Attention, please!

This is HIVE ransomware team.

We infiltrated your network and stayed there for 12 days (it was enough to study all your documentation and gain access to your files and services), encrypted your servers.

Downloaded most important information with a total size over 280 GB

Few details about information we have downloaded:

– contracts, nda and other agreements documents

– company private info (budgets, plans, investments, company bank statements, etc.)

– employees info (SSN numbers, emails, addresses, passports, phone numbers, payments, working hours, etc.)

– customers info (SSN numbers, emails, addresses, passports, phone numbers, payments, working hours, etc.)

– SQL databases with reports, business data, customers data, etc.

– approximate number of personal records including addresses and ssn’s data is above 10000 units

On July 15, Hive sent Empress exemplars of they had taken which, according to DataBreaches, included protected health information of some of Empress EMS’s patients. “Hive claimed to have more than 100,000 Social Security numbers as part of the data they exfiltrated”, according to DataBreaches.

News of the leak was made public on Twitter on July 14 by Red Packet Security.

DataBreaches is reporting that as of today Empress EMS data is not currently on the Hive’s leak site.

EDITOR’S NOTE: We are not providing a link to the leak site because it is a dark web site requiring a Tor browser; if you know what that means you do not need our help finding the site and if you don’t know we probably cannot help you.

About Empress:

Empress, owned and operated for more than 30 years by the Minerva family, is managed today by brothers Mike, Dan and Matt Minerva, as well as long-time colleague Jim O’Connor. These experienced ambulance industry operators will continue to serve their established communities on a full-time basis with Empress and will leverage additional capital and technology resources available through PatientCare to expand critical ambulance services and mobile healthcare programs throughout its service area.

Founded in 1985, Empress is based in the City of Yonkers, New York and provides 911 emergency medical response to Yonkers with additional mutual aid response to neighboring communities. Additionally, Empress has emergency and non-emergency response contracts throughout Westchester County with districts, hospitals, correctional institutions and private care facilities.

Go deeper:

PatientCare EMS Solutions Acquires Empress Ambulance Service

A&M Capital Partners

New Rochelle Makes Unexpected Midnight Switch in Emergency Transportation Services