NY Ambulance Co. Faces Class Action Lawsuit for Delaying Notification to 300k Hacked Clients
By: Hellen Zaboulani
One of the biggest private ambulance companies in New York State is being slapped with an extensive class action lawsuit for waiting months to notify more than 318,500 of their customers that their personal information was compromised.
As reported by the NY Post, after Empress Ambulance Services was hacked by Hive Gang, a notorious ransomware group, and client info was stolen, they only told customers that a “small subset of files” had been stolen. The company knew, however, that the social security numbers of more than 100,000 individuals were stolen, along with their names, dates of birth, demographic information, diagnosis and treatment information, and medical records, as per a recent lawsuit filed against the company.
The suit, filed in Manhattan federal court last Tuesday, alleges that though the hack occurred in late May, the company did not detect it until July 14, and furthermore waited until Sept. 9 to notify victims. Empress EMS, a Yonkers-based company, received emails from the criminal enterprise, Hive Gang, taking responsibility and bragging for the hack, as per the FBI. “We infiltrated your network and stayed there for 12 days (it was enough to study all your documentation and gain access to your files and services), encrypted your servers, [d]ownloaded most important information with a total size over 280 GB,” the hacker group wrote Empress, as per the filed lawsuit.
The company, however, allegedly did not tell clients that the hack was by Hive Gang, an infamous group which became active in June 2021 and has since profited more than $100 million in ransom payouts from 1,300 companies it targeted around the world. Hive ransomware has been targeting a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH), as per the government’s Cybersecurity & Infrastructure Security Agency advisory.
“Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol”, in some cases bypassing multifactor authentication, the government website says in a general warning against the group. Hive also has been notorious for distributing phishing emails with malicious attachments, and for “exploiting vulnerabilities against Microsoft Exchange servers”, per the public FBI advisory.
As per the Post, the lawsuit claims that the hacker group listed Empress on their website on the dark web following the data breach, and that compromised files taken from the ambulatory company have been found to be available for download on the dark web. It’s not known if Empress has paid any ransom to Hive gang. In September, when Empress first sent the letter notifying customers, it offered impacted patients a free 12-month membership in Experian Identity Works. The 46-page class action lawsuit filed last week is just one of at least four separate legal complaints filed against Empress. The suit seeks an undisclosed amount in damages.
Empress did not reply to the Post’s request for comment.
