The threat landscape shifted in 2025. Ransomware now targets operational disruption over ransom payments. Data theft happens silently. Your biggest vulnerabilities aren't your own systems. Your biggest vulnerabilities are your hospital partners, dispatch vendors, and billing integrations. Here's what happened in 2025 and why it matters to NEMT:
Marks & Spencer (M&S) (April): Social engineering through contractors disabled online shopping for 6 weeks. £300M in losses.
Jaguar Land Rover (JLR) (September): A cyberattack halted production. Car registrations stopped. Ripple effects across the UK economy. Your partners could be impacted by similar attacks or be impacted by the cascades.
SharePoint ToolShell (July): At least 396 systems compromised silently. No encryption, no ransom notes—just data stolen. Your health plan’s or your broker’s SharePoint could have been affected without you knowing.
Salesforce Campaign (Ongoing): Attackers compromised customer accounts, not the platform. If you use Salesforce for member, transportation provider, or broker management, stolen credentials means direct access to your data.
Chinese Surveillance Breach (June): 4 billion records exposed—financial data, WeChat, Alipay, behavioral profiles. Your members' data is part of searchable aggregations used for phishing and fraud.
What this means: Your operational resilience depends on three things: knowing your third-party risk landscape, assuming you will be targeted (not if), and having a recovery plan that doesn't require your IT systems to be functional. We selected these incidents based on operational disruption impact, not ransom paid or media hype.
Looking across these incidents, several patterns emerge that should shape how you view your NEMT operation's risk.
M&S was compromised through contractors. Salesforce victims were hit through OAuth integrations. Acadian Ambulance was hit through network access. Your dispatch vendor, EHR integration, billing processor, or insurance partner could be the entry point that brings down your operation.
Action: Audit third-party access privileges. Know who has write access to your dispatch systems, your member records, your billing flows. Don't assume your vendors are secure just because they're big.
ToolShell exploited systems silently. Salesforce campaigns used credential theft without disrupting access. Only 34% of healthcare ransomware attacks in 2025 resulted in data encryption—down from 74% in 2024. Attackers are shifting to extortion-only tactics: steal data quietly, demand payment to prevent exposure.
Why it matters: You can't rely on your systems "looking broken" to tell you you've been breached. Silent exfiltration means compromises go undetected for weeks or months until a threat actor demands money or data appears on a dark web forum.
When M&S went offline, supply chains broke. When JLR's systems went down, car dealers couldn't function. When hospitals get hit with ransomware, ambulances divert. For NEMT, your operational risk isn't just about your own systems—it's about downstream effects when hospital partners, insurance companies, or dispatch vendors get hit.
The question: If your primary broker or transportation provider got ransomware-locked tomorrow, would you have a manual workflow? Can you route around them?
These incidents show a different threat vector that directly or indirectly impacts NEMT operations: third-party compromise, production shutdowns, silent exfiltration, credential theft, and state-level data collection.
Your operational resilience depends on three things: knowing your third-party risk landscape, assuming you will be targeted (not if), and having a recovery plan that doesn't require your IT systems to be functional.
It’s not just about data breaches anymore. It's about the scenarios where your systems go offline, your partners can't verify insurance, transportation providers can’t handle volume, and your drivers are managing routes manually while claims pile up in a queue.
The five incidents we've reviewed—M&S, JLR, ToolShell, Salesforce, and the Chinese surveillance network—weren't selected because they're the "biggest" by some universal metric. They were selected because each one shows a different threat vector that directly or indirectly impacts NEMT operations: third-party compromise, production shutdowns, silent exfiltration, credential theft, and state-level data collection.
Your operational resilience depends on three things: knowing your third-party risk landscape, assuming you will be targeted (not if), and having a recovery plan that doesn't require your IT systems to be functional.
Because your members, transportation providers, and partners are counting on your NEMT program to stay operational.
Irina Mason, SecOps Engineer at Kinetik learned that in cybersecurity, the only thing more dangerous than being paranoid is not being paranoid enough.
Spoiler alert: it's never fine.