Active breach tracker Milwaukee, Wisconsin Disclosed April 14, 2025

Bell Ambulance Data Breach 2025: Medusa Ransomware Exposes 237,830 Wisconsin EMS Patients. $2M Class Settlement Pending. What To Do

Bell Ambulance, Inc., Wisconsin's largest private ambulance service, suffered a February 2025 Medusa ransomware attack that exfiltrated roughly 219 GB of data and exposed names, Social Security numbers, driver's license numbers, financial account information, medical information, and health insurance information for 237,830 patients and employees. 12 to 24 months credit monitoring offered; $2M class settlement pending.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 7, 2025

Unauthorized access window begins

Feb 13, 2025

Bell Ambulance detects unauthorized activity; forensic specialists engaged

Feb 14, 2025

Unauthorized access cut off (approximate end of seven-day intrusion window)

Mar 2, 2025

Medusa ransomware group lists Bell Ambulance on its dark-web leak site; demands $400,000 and threatens to publish ~219 GB

Apr 14, 2025

Substitute notice posted to bellambulance.com / 264bell.com data security incident page

Apr 14, 2025

Disclosed publicly

Apr 18, 2025

First wave of individual notification letters mailed (initial cohort, ~114,000)

Apr 18, 2025

Initial HHS OCR filing for the first cohort

Jan 15, 2026

Second wave of individual notification letters mailed

Feb 20, 2026

Final data review completed; total raised to 237,830

Feb 23, 2026

Preliminary approval of $2M class settlement in Whitaker v. Bell Ambulance, Case No. 2025CV002444 (Milwaukee County Circuit Court)

Mar 9, 2026

Third wave of individual notification letters mailed

Mar 12, 2026

Updated breach notice filed with Maine Attorney General reflecting final 237,830 count

Apr 27, 2026

Class notice mailing begins (Whitaker v. Bell Ambulance settlement)

Jun 15, 2026

Settlement opt-out / objection deadline

Jun 29, 2026

Settlement claim filing deadline

Jul 14, 2026

Final approval hearing scheduled (Milwaukee County Circuit Court)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Medical information (including EMS transport and treatment records) Medical record number

03

Contact & insurance

Phishing + targeted scams

First and last name Financial account information Health insurance information Full face photographic images

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (class counsel) Kopelowitz Ostrow P.A. (class counsel) Bailey Glasser LLP (class counsel) Cafferty Clobes Meriwether & Sprengel LLP (investigation) Sauder Schelkopf (investigation)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Bell Ambulance, Inc. is Wisconsin’s largest private ambulance and EMS provider. Founded in the 1970s and headquartered in Milwaukee, the company operates roughly 82 vehicles and employs about 700 people across the state. Affected individuals are primarily patients transported by Bell Ambulance, plus current and former employees.

Between February 7 and February 14, 2025, the Medusa ransomware group maintained unauthorized access to Bell Ambulance’s network for roughly seven days. Bell detected the activity on February 13, 2025, engaged third-party forensic specialists, and cut off the intrusion. Medusa exfiltrated approximately 219 GB of data, demanded a $400,000 ransom, and listed Bell Ambulance on its dark-web leak site on March 2, 2025 with a countdown. Bell did not appear to pay; Medusa subsequently published the stolen files.

Bell posted its substitute notice on April 14, 2025 and began mailing individual letters on April 18, 2025, initially reporting roughly 114,000 affected. Forensic review continued for nearly a year. The investigation concluded February 20, 2026, more than doubling the total to 237,830 individuals. Bell sent additional notification waves on January 15, 2026 and March 9, 2026, and refiled with the Maine Attorney General on March 12, 2026.

Timeline

  • February 7, 2025 — Unauthorized access window begins.
  • February 13, 2025 — Bell detects unauthorized network activity and engages forensic specialists.
  • February 14, 2025 — Intrusion cut off (approximate end of seven-day access window).
  • March 2, 2025 — Medusa ransomware group lists Bell Ambulance on its dark-web leak site, demanding $400,000 and threatening to publish ~219 GB.
  • April 14, 2025 — Substitute notice posted to bellambulance.com / 264bell.com.
  • April 18, 2025 — First wave of individual notification letters mailed (~114,000); initial HHS OCR filing.
  • January 15, 2026 — Second wave of individual notification letters mailed.
  • February 20, 2026 — Final data review complete; total raised to 237,830.
  • February 23, 2026 — Preliminary approval of $2M class settlement in Whitaker v. Bell Ambulance.
  • March 9, 2026 — Third wave of individual notification letters mailed.
  • March 12, 2026 — Updated breach notice filed with the Maine Attorney General reflecting the final count.
  • April 27, 2026 — Class notice mailing begins.
  • June 15, 2026 — Settlement opt-out / objection deadline.
  • June 29, 2026 — Settlement claim filing deadline.
  • July 14, 2026 — Final approval hearing in Milwaukee County Circuit Court.

What was exposed

EMS transport records typically carry more than billing data. They include the reason for transport, on-scene assessments, vital signs, medications administered, destination facility, and the responding crew narrative. The notice confirms exposure of:

  • First and last name
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Financial account information
  • Medical information (including EMS transport and treatment records)
  • Medical record number
  • Health insurance information
  • Full face photographic images

The full identity stack (name + DOB + SSN + driver’s license) is the highest-risk combination for synthetic identity fraud and tax-refund fraud. The court-approved settlement notice and the official settlement website both confirm that full-face photographic images were among the files accessed. EMS providers routinely photograph patients at scene for clinical documentation, making Bell Ambulance’s records an unusually complete biometric dataset. Medical record numbers enable fraudulent billing under a victim’s identity at any provider that participates in the same clearinghouses Bell uses for billing.

What Bell Ambulance is offering

  • Complimentary credit monitoring and identity theft protection (12 months for the initial cohort; 24 months offered to the later-disclosed cohort in some notices).
  • Two years of credit monitoring through CyEx Medical Shield Complete is also available to settlement class members under the Whitaker settlement.
  • Network security remediation: password resets, account hardening, additional monitoring.
  • Dedicated assistance line: 1-844-956-1504 (Monday-Friday, 9 a.m. to 9 p.m. ET).
  • Corporate offices: 549 East Wilson Street, Milwaukee, WI 53207; (414) 486-2000.

Class-action posture

A consolidated class action, Whitaker, et al. v. Bell Ambulance, Inc., Case No. 2025CV002444, was filed in the Circuit Court for Milwaukee County, Wisconsin (not federal court). The court granted preliminary approval of a $2,000,000 settlement on February 23, 2026.

The case was filed under the Wisconsin Deceptive Trade Practices Act, among other claims. Class counsel are Alex Phillips of Strauss Borrelli PLLC, Kenneth Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert, and Bart D. Cohen of Bailey Glasser LLP. Defense counsel are Tara Nalencz and Jill Fertel of Cipriani & Werner, P.C. (Blue Bell, PA). Simpluris, Inc. is the court-appointed settlement administrator; contact the administrator at (844) 804-2567 or by mail at Bell Ambulance Data Incident Settlement, c/o Settlement Administrator, P.O. Box 25226, Santa Ana, CA 92799-9958.

Class members may elect either documented out-of-pocket loss reimbursement up to $5,000 (for losses incurred between February 13, 2025 and June 29, 2026) or a pro rata cash payment estimated at $90 (may be higher or lower depending on claim volume), plus two years of CyEx Medical Shield Complete credit monitoring for all class members.

The $2,000,000 fund breakdown: attorneys’ fees capped at one-third ($666,667); service awards of $2,500 to each of six class representatives ($15,000 total); settlement administration costs; and the remainder to class members. Bell Ambulance denies any wrongdoing.

  • Notice mailing begins: April 27, 2026
  • Opt-out / objection deadline: June 15, 2026
  • Claim deadline: June 29, 2026
  • Final approval hearing: July 14, 2026, 9:00 a.m. Central Time, Milwaukee County Courthouse, 901 N. 9th Street, Milwaukee, WI 53233

Additional firms publicly investigating include Cafferty Clobes Meriwether & Sprengel LLP and Sauder Schelkopf.

What to do

  1. File a settlement claim by June 29, 2026 at the official settlement site if you were notified. Have your notice ID ready.
  2. Place free credit freezes at Equifax, Experian, and TransUnion. This is the single highest-leverage protection against the SSN + DOB + driver’s license combination Medusa published.
  3. Replace your driver’s license through the Wisconsin DMV if your number was disclosed. Driver’s license numbers do not rotate automatically the way card numbers do.
  4. Enroll in the credit monitoring offered in your letter (Bell’s program or CyEx Medical Shield Complete via the settlement).
  5. Watch your insurance Explanation of Benefits and pharmacy records for transports, claims, or prescriptions you did not receive. Medical-identity fraud often shows up in EOBs months after a leak.
  6. Stop the ongoing flow of your medical data. HealthConsent files HIPAA right-to-restrict and accounting-of-disclosures requests across providers, insurers, EMS billing networks, and prescription clearinghouses so a single intrusion stops cascading.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.