Survival Flight Data Breach 2025: Worldleaks Ransomware Group Publishes 2.8 TB of Data on 97,217 Air-Ambulance Patients. What To Do
Survival Flight, Inc., a Chandler, Arizona–registered air and ground emergency medical transport provider, discovered a July 17, 2025 cyberattack and filed a HIPAA breach report with HHS OCR on September 15, 2025 covering 97,217 individuals. The Worldleaks ransomware group (formerly Hunters International) claimed responsibility and published roughly 2.8 TB of stolen files on its dark-web leak site. Survival Flight is offering 24 months of complimentary Cyberscout (TransUnion) credit monitoring; two plaintiff firms have publicly announced investigations.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 17, 2025
Survival Flight discovers cybersecurity incident affecting its IT systems; third-party forensic experts engaged and law enforcement notified
Jul 17, 2025
Attacker gained access
Aug 12, 2025
Substitute notice posted to survivalflightinc.com from Chandler, Arizona confirming name, address, medical treatment, and health insurance information likely exposed
Sep 12, 2025
Worldleaks (formerly Hunters International) lists Survival Flight on its dark-web leak site and publishes approximately 2.8 TB of stolen files
Sep 15, 2025
HHS OCR breach report filed: 97,217 individuals affected, Hacking/IT Incident, Network Server
Mar 6, 2026
Breach notification reported to the Massachusetts Office of Consumer Affairs and Business Regulation (14 Massachusetts residents) and at least 13 additional state attorneys general including California, Iowa, Maine, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington
Jul 17, 2025
Survival Flight discovers cybersecurity incident affecting its IT systems; third-party forensic experts engaged and law enforcement notified
Jul 17, 2025
Attacker gained access
Aug 12, 2025
Substitute notice posted to survivalflightinc.com from Chandler, Arizona confirming name, address, medical treatment, and health insurance information likely exposed
Sep 12, 2025
Worldleaks (formerly Hunters International) lists Survival Flight on its dark-web leak site and publishes approximately 2.8 TB of stolen files
Sep 15, 2025
HHS OCR breach report filed: 97,217 individuals affected, Hacking/IT Incident, Network Server
Mar 6, 2026
Breach notification reported to the Massachusetts Office of Consumer Affairs and Business Regulation (14 Massachusetts residents) and at least 13 additional state attorneys general including California, Iowa, Maine, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Survival Flight, Inc. is an air and ground emergency medical transport provider headquartered at 705 Heber Springs Road, Batesville, Arkansas, with operations spanning roughly eight states: Alabama, Arkansas, Florida, Georgia, Illinois, Missouri, Oklahoma, and Tennessee. Founded in 2010, the company operates a fleet of Bell helicopters and Pilatus PC-12 aircraft delivering 24/7 critical care transport with flight nurses, paramedics, and pilots. The corporate notice was signed out of Chandler, Arizona, which is how the company’s Arizona corporate registration produces an Arizona HHS OCR filing even though the operational headquarters and most patient-base sits in Arkansas and the Southeast. The affected population is patients transported by Survival Flight crews and a smaller set of employees whose data lived on the impacted network.
Timeline
On July 17, 2025, Survival Flight discovered a cybersecurity incident affecting its IT systems, engaged third-party forensic experts to contain and investigate, and notified law enforcement. On August 12, 2025, the company posted a substitute notice from its Chandler, Arizona office confirming that “name, address, medical treatment information and health insurance information was likely exposed for certain patients.” On or about September 12, 2025, the Worldleaks group listed Survival Flight on its dark-web leak site and published approximately 2.8 TB of stolen files. On September 15, 2025, Survival Flight filed its HIPAA breach report with HHS OCR reporting 97,217 individuals affected, categorized as a Hacking/IT Incident at a Network Server. State-level reporting followed across at least 14 state attorneys general: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington, and the Massachusetts Office of Consumer Affairs and Business Regulation (March 6, 2026, covering 14 Massachusetts residents). Individual mailed notification letters followed the August substitute notice.
This is Survival Flight’s second disclosed cyber event inside roughly twelve months. A separate October 2024 email-account incident affected 12,342 individuals and remains a distinct OCR filing; it is not consolidated with the 2025 network-server intrusion.
About the Worldleaks group: Worldleaks launched January 1, 2025 as a direct rebrand of Hunters International, a ransomware-as-a-service operation active since late 2023 that was itself believed to be a successor to the Hive ransomware group dismantled by the FBI in 2023. Rather than encrypting files, Worldleaks operates a pure data-extortion model. It runs a proprietary “Insider journalist portal” that grants media outlets 24-hour advance access to stolen data before it is published on the main leak site, amplifying reputational damage. As of October 2025 Worldleaks remained active. Independent security researchers at Group-IB, SecurityWeek, and Halcyon have confirmed the Hunters International rebrand and the shift to encryption-less extortion.
What was exposed
The August 12 substitute notice publicly names a narrower set than the data later observed in the Worldleaks leak and the individual notification letters subsequently mailed. Synthesizing the entity’s substitute notice with state attorney general filings and independent reporting on the published dataset, exposed elements include:
- First and last name
- Address
- Date of birth
- Social Security number
- Financial account information (including some payment-card information for transported patients)
- Patient account number
- Medical records and treatment information
- Health insurance information
Air-ambulance records are unusually dense. They typically capture the chief complaint, on-scene clinical assessment, vital signs, interventions and medications administered, receiving facility, and the responding flight or ground crew narrative. The full identity stack (name + DOB + SSN + financial account) is the highest-risk combination for synthetic-identity creation and tax-refund fraud, and the medical detail makes medical-identity fraud durable for years after the headline news cycle ends.
What Survival Flight is offering
- 24 months of complimentary credit monitoring and fraud assistance through Cyberscout (a TransUnion brand). Individual notification letters include a unique enrollment code with a 90-day activation window.
- Dedicated assistance line: 1-833-844-8218, Monday through Friday, 8:00 a.m. to 8:00 p.m. ET.
- Network remediation: containment, third-party forensic review, additional system monitoring, and security hardening as described in the substitute notice.
- Corporate office: Chandler, Arizona (signatory of the September 2025 notice and the company’s HIPAA point of contact for this incident).
Class-action posture
No consolidated class action has been publicly docketed and reported in established trade press as of this writing. Two plaintiff firms have publicly announced investigations soliciting affected individuals:
- Strauss Borrelli PLLC — investigation page dated October 21, 2025.
- Shamis & Gentile P.A. — claims intake referenced in ClaimDepot’s investigation listing.
Survival Flight’s profile — six-figure affected count, ransomware exfiltration with data already published on a dark-web leak site, SSNs and financial account information at issue — typically draws putative class complaints in either the U.S. District Court for the District of Arizona (corporate venue) or the Eastern District of Arkansas (operations hub). This page will be updated when a complaint is filed.
What to do
- Place free credit freezes at Equifax, Experian, and TransUnion. Ten minutes per bureau, no cost, and the highest-leverage protection against the SSN + DOB + financial account combination Worldleaks published.
- Enroll in the 24 months of Cyberscout / TransUnion credit monitoring included with your notification letter. The activation code is time-limited (90 days from the letter date).
- Watch your Explanation of Benefits and pharmacy records for transports, claims, or prescriptions you did not receive. Medical-identity fraud often surfaces in EOBs months after a leak.
- Replace any compromised financial accounts flagged in your letter, and set transaction alerts on the accounts that remain.
- Save your notification letter. If a class action is later certified, the notice ID and mailing date are needed to file a claim.
- Stop the ongoing flow of your medical data. HealthConsent files HIPAA right-to-restrict and accounting-of-disclosures requests across providers, insurers, EMS billing networks, and prescription clearinghouses so that a single intrusion stops cascading into new exposures.
Sources
- Survival Flight: Notice of Data Security Incident (Chandler, Arizona) — entity’s own substitute notice PDF; dated August 12, 2025; confirms Chandler, Arizona dateline, July 17 discovery, narrower data set, and 1-833-844-8218 call center.
- DataBreaches.Net: Survival Flight reports second cybersecurity incident in less than a year — Worldleaks attribution, 2.8 TB leak, contrast with the prior 2024 email-account incident.
- HIPAA Journal: Goshen Medical Center and Survival Flight hacking incidents — trade-press timeline, dedicated call-center number, prior 2024 incident context.
- BreachSense: Survival Flight Data Breach in 2025 — credit monitoring vendor (Cyberscout / TransUnion), 24-month duration and 90-day enrollment window, Worldleaks dark-web posting date.
- Strauss Borrelli PLLC: Survival Flight Data Breach Investigation — plaintiff-firm investigation, operations footprint across eight states.
- ClaimDepot: Survival Flight Data Breach Lawsuit Investigation — Massachusetts AG notification date, second plaintiff-firm investigation, expanded data-element list including SSN, DOB, financial account, and patient account number.
- ClaimDepot: Survival Flight Data Breach Exposes Patient PII and PHI — multi-state AG filing source list (California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington).
- Infosecurity Magazine: Hunters International Is Not Shutting Down, It’s Rebranding — confirms Worldleaks as direct Hunters International rebrand launched January 2025; pure data-extortion model; Group-IB and Prodaft sourcing.
- Halcyon: World Leaks threat-actor profile — Extortion-as-a-Service platform detail; Insider journalist portal; Secp0 ransomware partnership; active as of October 2025.
- HHS Office for Civil Rights Breach Portal — federal regulatory record (97,217 affected, Hacking/IT Incident, Network Server, filed 2025-09-15, Arizona, Healthcare Provider).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Survival Flight: Notice of Data Security Incident (Chandler, Arizona) — entity PDF
- DataBreaches.Net: Survival Flight reports second cybersecurity incident in less than a year
- HIPAA Journal: Goshen Medical Center and Survival Flight hacking incidents
- BreachSense: Survival Flight Data Breach in 2025
- Strauss Borrelli PLLC: Survival Flight Data Breach Investigation
- ClaimDepot: Survival Flight Data Breach Lawsuit Investigation
- HHS Office for Civil Rights Breach Portal
- ClaimDepot: Survival Flight Data Breach — multi-state AG filing source list
- Infosecurity Magazine: Hunters International Is Not Shutting Down, It's Rebranding (Worldleaks)
- Halcyon: World Leaks threat-actor profile
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.