A new listing on Daixin Team’s leak site suggested serious problems for Acadian Ambulance.
Acadian Ambulance offers several health-related services, including emergency medical transportation, non-emergency transportation, at-home health care, air services, and medical education. It has locations in Louisiana, Mississippi, Tennessee, and Texas.
Acadian has been in business since 1971, and at this point, employees own the majority of the organization’s stock.
If one were to visit its website today, there would likely be no indication of anything amiss. There is no notice about any data breach on their site or on their Facebook page. But appearances can be deceiving.
According to Daixin Team, who communicated exclusively with DataBreaches, Daixin encrypted 1,000 – 2,000 of Acadian’s servers on June 21. When asked whether Acadian detected them and kicked them out, Daixin’s spokesperson replied, “Perhaps they began to understand something when everything stopped working. The access of their administrators was blocked and no one interfered with us. We ourselves left their internal network.” DataBreaches was also shown screenshots from what appeared to be a compromise of an employee’s 2FA screen.
As they have done in the past, Daixin avoided encrypting life-saving servers, later telling Acadian, “As you may have noticed we didn’t encrypt the life support servers but only shut some down as proof we could destroy them.”
From statements provided to DataBreaches by Daixin, it seems that negotiations with Acadian started on June 22. Chat logs from this past week, however, suggest that no agreement was reached on the amount of payment. Daixin had asked for $7 million, but after weeks of negotiating, Acadian was claiming they could only pay less than $173,000. At one point, Daixin’s negotiator told Acadian’s negotiator:
7 Million USD for all the personal and medical data of 10 million US citizens = 70 cents each, less then 1$ !
But we’re not the good guys – we won’t hesitate to publish the data and sell some of it. You’ll never know which data was sold. The decryption tool will also be destroyed. Your disregard for patient privacy will also become public knowledge.
DataBreaches asked Daixin’s spokesperson why they thought Acadian could afford to pay $7 million. Had Daixin discovered that Acadian had cyberinsurance that would cover the payment? They responded by quoting from Zack’s Equity Research:
“Acadia Healthcare exited the first quarter with cash and cash equivalents of $77.3 million, which dropped 22.8% from the 2023 end level. It had a leftover capacity of $371.5 million under its $600 million revolving credit facility at the quarter end.”
![[Acadian]: Could you please hold off on anything like that? It would completely invalidate all the work we've put in so far to find a setlement. Your asking price is still too much for us to manage at this point, but we have been actively looking for any solution possible.[Daixin]: We understand that you are a hired (or in-house) cybersecurity company. You have no experience with ransomware. We took care of you like children. As proof, not small test-files, but the 40GB virtual machine image was decrypted. Showed that we have PII + PHI data from 10,000,000 patients. We've been telling you about what the consequences of non-payment can be. As you may have noticed we didn't encrypt the life support servers but only shut down some as proof that we could destroy them. [Daixin]: 7 Million USD for all the personal and medical data of 10 million US citizens = 70 cents each, less then 1$ ! [Daixin]: But we're not the good guys - we won't hesitate to publish the data and sell some of it. You'll never knowwhich data was sold. The decryption tool will also be destroyed. Your disregard for patient privacy will also become public knowledge. [Daixin]: Therefore, your inaction and procrastination will result in a complete failure of negotiations and fatal consequences for your client, Acadian Ambulance](https://databreaches.net/wp-content/uploads/acad1.png)
A list of tables in the database, published today on Daixin’s leak site, reveals that most of the tables are patient-related. One table involves employee data. The fields in that table include the employees’ first and last name, SSN, date of birth, gender, date of employment, certification number, phone number, email, position, and other types of information.
The table with 11 million records is a table called “ePCR.dbo.MedicalRecord.” It contains a wealth of fields. Other tables also appear to contain sensitive information, such as a table with information on those suspected of drug use.
None of the data has been leaked at this point, however.
DataBreaches emailed Acadian Ambulance yesterday and again today to ask about their response to the incident and whether they had usable backups for the encrypted servers. No reply has been received.
From the information provided to DataBreaches by Daixin, it appears that Acadian’s last negotiation effort was to tell Daixin that they were trying to borrow $400,000, which would bring their offer to $572,500, but it would take a few days. That was not even close to what Daixin would accept, at which point the ransomware group leaked the tables information and indicated that they will leak other data soon.
This post will be updated if a statement is received from Acadian or the leak situation changes.