One of the state’s largest private ambulance companies is facing a potentially massive class action lawsuit for waiting months to tell over 318,000 of their clients that their personal information was stolen by hackers.
Empress Ambulance Services also allegedly downplayed the hack by Hive Gang, a notorious ransomware group, telling its customers that only a “small subset of files” had been stolen — knowing that the social security numbers of at least 100,000 had been compromised, as well as medical information, according to the latest lawsuit against the company, filed in Manhattan federal court on Tuesday.
The hack occurred in late May, but the company did not detect it until July 14 — then waited until Sept. 9 to tell victims, according to the lawsuit.
Empress also allegedly did not tell its clients that the Hive Gang was the culprit behind the hack despite receiving braggadocios emails from the criminal enterprise, which reportedly became active in June 2021 and has since pocketed over $100 million in ransom payouts from 1,300 companies it targeted globally, according to the FBI.
“We infiltrated your network and stayed there for 12 days (it was enough to study
all your documentation and gain access to your files and services),
encrypted your servers, [d]ownloaded most important information with a total size over 280 GB,” the hacker group wrote Empress, according to the lawsuit.
The hacker group listed Empress on their website on the dark web shortly after the data breach, according to the lawsuit. Files taken from the ambulance company have since been found to be available to download on the dark web.
The lawsuit one of at least four separate complaints against Empress seeking an undisclosed amount in damages.
Empress did not respond to inquiries seeking comment.