On April 14, 2025, an Illinois-based EMS provider, Medical Express Ambulance Inc., operating as MedEx Ambulance, announced a data breach that compromised 118,164 individuals’ protected health information (PHI).
What happened
On March 18, 2024, MedEx Ambulance experienced a network disruption that impacted its systems’ functionality and accessibility. After discovering the breach, the company launched an investigation, confirming that an unauthorized third party accessed sensitive information stored on its network. The review concluded on March 19, 2025, revealing that personal and protected health information had potentially been exposed.
Exposed data includes names, Social Security numbers, dates of birth, demographic details, driver’s license numbers, passport information, financial account information, medical and health insurance records, and login credentials.
MedEx began mailing breach notification letters to affected individuals on April 14, 2025 and is offering 12 months of free credit monitoring services.
What was said
In the MedEx letter to the Maine Attorney General, Cybersecurity and Data Protection Attorney Joseph M. Fusz states, “[The organization] has not received any reports of related identity theft since the date of the incident (March 18, 2024, to present).”
Additionally, the MedEx public data breach notice says, “We recognize that you may have questions not addressed in this notice. If you have additional questions, please call 855-659-0097, Monday through Friday, 9:00 A.M. to 9:00 P.M. Central Time, except holidays.”
By the numbers
Founded in 1998, the company has over 200 employees with a fleet of 80+ ambulances.
The big picture
The compromised data includes information protected under HIPAA, so while MedEx has offered affected individuals credit monitoring, the data breach still exposes them to identity theft and insurance fraud.
Therefore, covered entities, like MedEx, must uphold HIPAA standards through advanced data protection strategies, including HIPAA compliant communications and access control systems, to safeguard individuals’ PHI.
Learn more: HIPAA and patient consent in emergency medical services (EMS)
The bottom line
Individuals affected by the MedEx breach must monitor their financial and medical records and use the complimentary credit monitoring services offered.
FAQs
What is a covered entity?
A covered entity is any healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically.
Does HIPAA apply in emergency situations?
Yes, HIPAA regulations apply in emergencies, requiring EMS staff to maintain patient privacy while providing urgent medical care.
What are the penalties for violating HIPAA?
As of March 2025, HIPAA violations incur fines from $141 to $2,134,831 per violation, depending on culpability. Tier 1 penalties apply to unintentional violations ($141–$35,581), while Tier 2 covers breaches due to reasonable cause ($1,424–$71,162). Tier 3 applies to willful neglect corrected within 30 days ($14,232–$71,162), and Tier 4 penalizes uncorrected willful neglect with the highest fines ($71,162–$2,134,831).
These fines adjust annually for inflation, and severe cases may result in criminal charges, reputational harm, and mandatory corrective actions.
