Survival Flight is an Arizona-headquartered firm that provides ground and air emergency medical transportation services.
On August 12, they issued a substitute notice saying that on July 17, they had discovered a cybersecurity incident affecting its IT systems. In their substitute notice, which has not been updated as of this publication, they wrote:
The investigation to date has identified that name, address, medical treatment information and health insurance information was likely exposed for certain patients as a result of this incident. Survival Flight is working to determine the full extent of affected information. Once the investigation is complete, Survival Flight will be notifying individuals whose personal information was involved and providing resources they can use to help protect their information. As of this notice, the investigation has not identified any instances of fraud or identity theft that have occurred as a result of this incident.
Survival Flight takes its responsibility to safeguard personal information seriously and regrets any concern this incident may have caused. As part of Survival Flight’s ongoing commitment to the security of information, the organization has taken steps to help reduce the likelihood of a similar event in the future.
The notice does not indicate whether any ransom note was received, it does not disclose that WorldLeaks claimed responsibility for the attack and claimed to have acquired 2.8 TB of files, and it does not disclose whether WorldLeaks has dumped data it claimed to have acquired.
The incident does not yet show up on HHS’s public breach tool, so we do not know the total number of patients or people affected.
DataBreaches was able to preview the data leak even though it is not yet publicly released. The data tranche includes a lot of internal business files but it does also include some patient information and members information — including financial information such as credit card information and health insurance information for some patients who were transported.
Previous Ransomware Incident
The July 2025 incident is the second cyberattack that Survival Flight has disclosed in less than a year. In October 2024, they notified HHS of an incident that affected 10,989 patients. HHS investigated that incident and wrote the following closing statement:
… the covered entity (CE), reported that it experienced a ransomware incident that affected the protected health information (PHI) of 10,989 individuals. The PHI involved included names, addresses, drivers’ license and Social Security numbers, dates of birth, diagnoses, financial information, and claims information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards.
That incident had been reported to HHS as affecting data in email. What additional safeguards did Survival Flight deploy following that incident? And how were they attacked this time?
DataBreaches also sent a contact form inquiry to Survival Flight asking whether the attackers gained access the same way the 2024 attackers had gained access, whether WorldLeaks encrypted any files, and whether WorldLeaks has sent them any ransom demand. This post will be updated when a reply is received.
WorldLeaks: Stop It!
Survival Flight provides emergency medical services. Any attack on them that prevents their systems from working properly or their ability to access patient records that they have on file and may need during emergency transportation puts lives at risk. DataBreaches reminds ALL threat actors not to put lives at risk by attacking medical entities. Even if files are not encrypted, the disruption to services caused by need to pull services offline to investigate attacks can delay treatment and put more lives at risk.
Just stop it.
This post was updated on September 19 to include a description of the data tranche.