An ambulance billing and medical collections firm agreed to pay $515,000 to Massachusetts and Indiana attorneys general following a hack that compromised patient data. The firm provided revenue cycle management services for ambulance providers, storing patient names, dates of service, insurance information, and potentially Social Security numbers and treatment data. The settlement required the firm to implement enhanced cybersecurity controls including encryption, MFA, and employee training. Multi-state enforcement actions against healthcare vendors for data security failures are increasingly common following major HHS OCR settlements.