Ransomware gang says it breached Wisconsin ambulance company

Ransomware group Medusa today claimed responsibility for a February 2025 cyber attack on Bell Ambulance.

Bell Ambulance on February 13, 2025 sent a message to employees that said the company was “working to restore IT systems after a cybersecurity event.”

“Unfortunately this disruption is greatly impacting your ability to perform your job functions,” says the message, which local reporter Dan O’Donnell shared on Facebook. “We’re also investigating to determine if any information was affected, but it’s too early to share details.”

Medusa claimed responsibility for the attack on March 2, 2025. The group says it stole 220 GB of data. Its demanding Bell Ambulance pay $400,000 in ransom, or it will put the stolen data up for auction in one week.

Bell Ambulance has not verified Medusa’s claim. We do not yet know if personal data was compromised, if Bell Ambulance did or will pay a ransom, how much Medusa demanded, or how attackers breached the company’s network. Comparitech contacted Bell Ambulance for comment and will update this article if it replies.

Who is Medusa?

Medusa first surfaced in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay twice: once to decrypt their systems, and once for not selling or publishing stolen data.

Medusa has claimed 115 confirmed ransomware attacks since it began, compromising about 2.5 million records. Its average ransom demand is $320,000.

Medusa’s attack on Bell Ambulance joins two other confirmed ransomware attacks claimed by the group in 2025:

Medusa made another 49 unconfirmed claims so far in 2025 that have yet to be acknowledged by the targeted organizations.

Ransomware attacks on US healthcare

Ransomware attacks on hospitals, clinics, and other care providers can lock down computer systems and steal data. Targets are forced to either pay a ransom or face extended downtime, data loss, and putting customers at risk of fraud. Ransomware can cripple a wide range of systems including access to medical records, appointment booking, payroll, prescriptions, patient communications, and more.

In addition to Medusa’s attack on Bell Ambulance, Comparitech researchers have confirmed two other attacks on US care providers so far in 2025: Frederick Health and New York Blood Center Enterprises.

Two more care providers over the weekend confirmed they are notifying patients following data breaches in 2024. RansomHub claimed responsibility for the September data breach at Cardiology of Virginia, which says it notified 21,085 people. Everest claimed a November 2024 breach at Artistic Family Dental.

About Bell Ambulance

Based in Wisconsin, Bell Ambulance says it operates a fleet of 82 ambulances, employs more than 700 people, and answers more than 120,000 ambulance service calls per year. The company serves Milwaukee County, Waukesha County, Racine County, and Southeastern Wisconsin.