AOA, an eye care practice in Alabama, suffered a ransomware attack between January 22–30, 2025, compromising 131,576 individuals. The breach exposed highly sensitive data, including names, Social Security numbers, health insurance details, medical records, treatment histories, biometric data, and emails. The BianLian ransomware group claimed responsibility, threatening to publish stolen data unless demands were met. While AOA confirmed the breach, it did not disclose whether a ransom was paid or if credit monitoring was offered. The attack disrupted operations and risked long-term identity theft, financial fraud, and reputational damage. Given the scale of exposed patient health and financial records, the incident poses severe compliance risks (e.g., HIPAA violations) and operational disruptions, potentially eroding trust in the healthcare provider. The breach’s impact extends beyond data loss, threatening patient safety if critical systems were compromised during the attack.
Source: https://hackread.com/ransomware-us-healthcare-aoa-davita-bell-ambulance-breach/
TPRM report: https://www.rankiteo.com/company/alabama-academy-of-ophthalmology
"id": "ala827090225",
"linkid": "alabama-academy-of-ophthalmology",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 131576,
'industry': 'Healthcare',
'location': 'Alabama, USA',
'name': 'Alabama Ophthalmology Associates (AOA)',
'type': 'Eye Care Practice'},
{'customers_affected': 114000,
'industry': 'Healthcare',
'location': 'Southeastern Wisconsin, USA',
'name': 'Bell Ambulance',
'type': 'Ambulance Service Provider'},
{'industry': 'Healthcare',
'location': 'Denver, Colorado, USA',
'name': 'DaVita',
'type': 'Dialysis Firm'}],
'customer_advisories': [{'action': 'Notification letters sent to affected '
'individuals',
'organization': 'AOA'},
{'action': 'Public update on breach impact (April 22, '
'2025)',
'organization': 'Bell Ambulance'},
{'action': 'Official statement acknowledging '
'operational impact',
'organization': 'DaVita'}],
'data_breach': {'data_encryption': [{'details': 'BianLian typically threatens '
'data publication rather than '
'encryption',
'organization': 'AOA',
'status': False},
{'organization': 'Bell Ambulance',
'status': None},
{'details': 'On-premises systems '
'encrypted',
'organization': 'DaVita',
'status': True}],
'data_exfiltration': [{'organization': 'AOA', 'status': True},
{'details': '220 GB of data stolen '
'(claimed by Medusa)',
'organization': 'Bell Ambulance',
'status': True},
{'organization': 'DaVita',
'status': None}],
'number_of_records_exposed': [{'organization': 'AOA',
'records': 131576},
{'organization': 'Bell '
'Ambulance',
'records': 114000},
{'organization': 'DaVita',
'records': None}],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, PHI, financial data, '
'biometric information)',
'type_of_data_compromised': [{'data': ['Names',
'Social Security '
'numbers',
'Health insurance '
'information',
'Treatment details',
'Medical record '
'numbers',
'Medical history',
'Dates of birth',
'Finance and HR data '
'(claimed by BianLian)',
'Patient records',
'Biometric information',
'Emails'],
'organization': 'AOA'},
{'data': ['Dates of birth',
'Social Security '
'numbers',
'Driver’s license '
'numbers',
'Financial account '
'information',
'Medical information',
'Health insurance '
'information'],
'organization': 'Bell '
'Ambulance'},
{'data': None,
'organization': 'DaVita'}]},
'date_detected': [{'date': '2025-01-22', 'organization': 'AOA'},
{'date': '2025-02-13', 'organization': 'Bell Ambulance'},
{'date': '2025-04-12', 'organization': 'DaVita'}],
'date_publicly_disclosed': [{'date': '2025-03-19', 'organization': 'AOA'},
{'date': '2025-04-22',
'organization': 'Bell Ambulance'},
{'organization': 'DaVita'}],
'description': 'Three healthcare organizations—Alabama Ophthalmology '
'Associates (AOA), DaVita, and Bell Ambulance—were hit by '
'ransomware attacks in early 2025, affecting over 245,000 '
'individuals. Hackers stole patient data, demanded ransoms, '
'and disrupted healthcare services. The attacks were claimed '
'by ransomware groups BianLian (AOA) and Medusa (Bell '
'Ambulance), while the group behind the DaVita attack remains '
'unidentified. The incidents highlight the growing '
'vulnerability of the healthcare sector to cyber threats, with '
'compromised data including SSNs, medical records, financial '
'details, and more.',
'impact': {'brand_reputation_impact': 'High (Healthcare sector trust erosion, '
'patient privacy concerns)',
'data_compromised': True,
'downtime': True,
'identity_theft_risk': 'High (SSNs, driver’s license numbers, '
'financial data exposed)',
'legal_liabilities': 'Potential (due to compromised PII/PHI under '
'HIPAA or other regulations)',
'operational_impact': ['Disruption of IT systems (Bell Ambulance)',
'Encryption of on-premises systems (DaVita)',
'Use of manual processes and contingency '
'plans (DaVita)',
'Potential cancellation of appointments or '
'diversion of patients (general)'],
'payment_information_risk': 'High (financial account information '
'compromised in Bell Ambulance breach)',
'systems_affected': True},
'initial_access_broker': {'data_sold_on_dark_web': [{'details': 'Medusa '
'threatened '
'to auction '
'stolen data',
'organization': 'Bell '
'Ambulance',
'status': True},
{'organization': 'AOA',
'status': None},
{'organization': 'DaVita',
'status': None}],
'high_value_targets': ['Patient records (AOA, Bell '
'Ambulance)',
'Financial/HR data (AOA)',
'Operational systems '
'(DaVita)']},
'investigation_status': [{'organization': 'AOA',
'status': 'Review completed; notifications sent'},
{'organization': 'Bell Ambulance',
'status': 'Investigation ongoing (as of April 22, '
'2025)'},
{'organization': 'DaVita',
'status': 'Incident ongoing; extent of disruption '
'unclear'}],
'lessons_learned': 'The incidents underscore the critical need for healthcare '
'organizations to bolster cybersecurity defenses, '
'including robust incident response plans, regular '
'vulnerability assessments, employee training, and '
'proactive threat monitoring. The reliance on manual '
'processes during downtime highlights operational '
'vulnerabilities, while the theft of sensitive patient '
'data emphasizes the high stakes of data protection in '
'healthcare.',
'motivation': 'Financial Gain (Extortion via Ransom Demands and Data Theft)',
'ransomware': {'data_encryption': [{'organization': 'AOA', 'status': False},
{'organization': 'Bell Ambulance',
'status': None},
{'organization': 'DaVita', 'status': True}],
'data_exfiltration': [{'organization': 'AOA', 'status': True},
{'organization': 'Bell Ambulance',
'status': True},
{'organization': 'DaVita',
'status': None}],
'ransom_demanded': [{'amount': None,
'currency': None,
'organization': 'AOA'},
{'amount': 400000,
'currency': 'USD',
'organization': 'Bell Ambulance'},
{'amount': None,
'currency': None,
'organization': 'DaVita'}],
'ransom_paid': [{'organization': 'AOA', 'status': None},
{'organization': 'Bell Ambulance',
'status': None},
{'organization': 'DaVita', 'status': None}],
'ransomware_strain': [{'organization': 'AOA',
'strain': 'BianLian'},
{'organization': 'Bell Ambulance',
'strain': 'Medusa'},
{'organization': 'DaVita',
'strain': None}]},
'recommendations': ['Implement multi-layered security controls (e.g., '
'endpoint detection, network segmentation, zero-trust '
'architecture).',
'Conduct regular penetration testing and red team '
'exercises to identify vulnerabilities.',
'Enhance employee cybersecurity awareness training, '
'particularly for phishing and social engineering '
'threats.',
'Develop and test incident response and business '
'continuity plans to minimize downtime.',
'Adopt proactive threat intelligence sharing with '
'industry peers and government agencies (e.g., HHS, '
'CISA).',
'Offer credit monitoring and identity theft protection to '
'affected individuals when PII is compromised.',
'Ensure compliance with HIPAA and other relevant '
'regulations to mitigate legal and financial risks.'],
'references': [{'source': 'Hackread.com'},
{'source': 'Comparitech (BianLian’s Data Leak Site Listing for '
'AOA)'},
{'source': 'AOA Breach Notification (PDF)'},
{'source': 'Bell Ambulance Public Update (April 22, 2025)'},
{'source': 'DaVita Official Statement'},
{'source': 'Morphisec Report on ResolverRAT'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA '
'violations (for all three '
'organizations)',
'State-level data breach '
'notification laws (e.g., '
'Alabama, Wisconsin)']},
'response': {'communication_strategy': [{'action': 'Notification letters sent '
'to affected individuals '
'(PDF)',
'organization': 'AOA'},
{'action': 'Employee notification '
'about IT disruptions; '
'public update on April '
'22, 2025',
'organization': 'Bell Ambulance'},
{'action': 'Official statement '
'acknowledging incident '
'and operational impact',
'organization': 'DaVita'}],
'containment_measures': ['Investigation initiated (Bell '
'Ambulance)',
'Interim measures for system '
'restoration (DaVita)',
'Manual processes and contingency plans '
'(DaVita)'],
'incident_response_plan_activated': [{'organization': 'AOA',
'status': True},
{'organization': 'Bell '
'Ambulance',
'status': True},
{'organization': 'DaVita',
'status': True}]},
'threat_actor': [{'actor': 'BianLian', 'organization': 'AOA'},
{'actor': 'Medusa', 'organization': 'Bell Ambulance'},
{'organization': 'DaVita'}],
'title': 'Ransomware Attacks on AOA, DaVita, and Bell Ambulance in 2025',
'type': 'Ransomware Attack / Data Breach'}