A massive data breach at a private ambulance service company has left millions of individuals vulnerable to identity theft and financial fraud. Patricia Brooks filed a class action complaint against Acadian Ambulance Service, Inc. in the United States District Court for the Western District of Louisiana on August 7, 2024.
The lawsuit alleges that Acadian Ambulance Service failed to properly secure and safeguard personally identifiable information (PII) and protected health information (PHI) of its patients and employees. The compromised data includes full names, Social Security numbers, dates of birth, medical record numbers, and treatment information. The breach reportedly began in June 2024 when unauthorized third parties accessed this sensitive information from Acadian's systems. A cyber threat group known as Daixin claimed responsibility for the ransomware attack, demanding a $7 million ransom for the return of the stolen data. When Acadian allegedly offered only $173,000 in response, Daixin rejected it, leaving the PII and PHI at risk of being published on the dark web.
Brooks claims that Acadian Ambulance Service collected and utilized this sensitive information during its business operations across Louisiana, Texas, Tennessee, and Mississippi but failed to meet its statutory, regulatory, contractual, and common law duties to keep this information confidential and secure. Despite understanding these obligations through its privacy policy promises to safeguard such data, Acadian allegedly did not meet these reasonable expectations. This failure led to substantial harm for Brooks and other class members who now face an ongoing risk of identity theft.
The complaint details how hackers can exploit unencrypted PII by selling it on the dark web or using it for various fraudulent activities such as obtaining government benefits or medical services under false pretenses. It accuses Acadian of negligence in several areas including failing to design adequate data security systems, implement proper monitoring protocols, train staff effectively on data security practices, comply with industry standards like HIPAA regulations, and provide timely notification to affected individuals about the breach.
Brooks seeks compensatory damages for invasion of privacy; financial costs incurred due to actual identity theft; loss of time dealing with spam emails; diminished value of their personal information; anxiety; annoyance; nuisance; continued risk to their private information; reimbursement for out-of-pocket costs related to mitigating identity theft risks; future costs associated with identity theft monitoring services; injunctive relief requiring improvements in Acadian’s data security systems along with annual audits.
The case ID is 6:24-cv-01059.