Ransomware Surge Hits US Healthcare: AOA, DaVita and Bell Ambulance Breached

AOA, DaVita, and Bell Ambulance hit by ransomware in 2025. Over 245K affected as hackers steal patient data, demand ransoms, and disrupt healthcare services.

This has been a dreadful first quarter for the healthcare sector. After Morphisec’s recent discovery of ResolverRAT malware targeting organisations within the healthcare sectors, three healthcare organizations in the United States have confirmed becoming victims of data breaches this year. These include Alabama Ophthalmology Associates, DaVita, and Bell Ambulance.

Alabama Ophthalmology Associates (AOA), an eye care practice in Alabama, revealed that a data breach occurring between January 22nd and January 30th, 2025, affected a staggering 131,576 individuals. AOA concluded its review of the impacted data on March 19th, 2025, and subsequently began notifying affected individuals.

In its notification (PDF), AOA claims the compromised data includes crucial personal details such as names, Social Security numbers, health insurance information, treatment details, medical record numbers, medical history, and dates of birth. However, they did not mention offering free credit monitoring or identity theft protection, a common practice among breached companies when Social Security numbers are compromised.

The ransomware group BianLian has claimed responsibility for the attack on AOA. This group, known for extorting organizations by threatening to publish stolen data rather than encrypting systems, alleges to have obtained a wide range of sensitive information from AOA, including finance and HR data, patient records, biometric information, and emails.

While BianLian has listed AOA on its data leak site, AOA has not yet verified these claims. It remains unknown the amount demanded, whether AOA paid a ransom, or the specific method used by the attackers to infiltrate AOA’s network.

In a separate incident, Bell Ambulance, a well-established ambulance service provider in southeastern Wisconsin, detected a cybersecurity incident on February 13th, 2025. The company informed its employees about disruptions to their IT systems and initiated an investigation to determine if any information was compromised.

An update on April 22nd confirmed that 114,000 individuals were impacted in this breach, with compromised data potentially including dates of birth, Social Security numbers, driver’s license numbers, financial account information, medical information, and/or health insurance information.

The ransomware group Medusa later claimed responsibility for the attack on March 2nd, 2025, adding that they stole 220 GB of data. The group demanded a $400,000 ransom from Bell Ambulance, threatening to auction the stolen data if their demands were not met within 7 days.

It is worth noting that on April 8, Medusa also claimed a ransomware attack on NASCAR (National Association for Stock Car Auto Racing) demanding a $4 million ransom and threatening to release internal data if payment isn’t made.

DaVita, a Denver-based dialysis firm, was hit by a ransomware attack on April 12, which reportedly encrypted certain on-premises systems. The company is currently addressing the incident, utilizing contingency plans and manual processes, while care delivery continues at its centres and for home care patients. The identity of the ransomware group responsible remains unknown.

“The incident is impacting some of our operations, and while we have implemented interim measures to allow for the restoration of certain functions, we cannot estimate the duration or extent of the disruption at this time,” DaVita’s official statement read.

These attacks further emphasize the urgent need for improving cybersecurity measures within the healthcare sector to protect patient data and ensure the continuity of critical medical services.

Paul Bischoff, Consumer Privacy Advocate at Comparitech, shared his comments with Hackread.com regarding the growing vulnerability of the healthcare sector against cyberattacks, stating, “Comparitech researchers logged 16 confirmed ransomware attacks on US hospitals, clinics, and other care providers in 2025, compromising the personal and health data of about 470,000 people.“

“Ransomware attacks on US hospitals, clinics, and other care providers can cripple key systems and endanger the privacy and security of patients. Providers must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics may have to resort to pen and paper, cancel certain appointments, and divert patients elsewhere until systems are restored.”