Active breach tracker Arizona Disclosed September 15, 2025

Survival Flight Data Breach 2025: Worldleaks Ransomware Group Publishes 2.8 TB of Data on 97,217 Air-Ambulance Patients. What To Do

Survival Flight, Inc., a Chandler, Arizona–registered air and ground emergency medical transport provider, discovered a July 17, 2025 cyberattack and filed a HIPAA breach report with HHS OCR on September 15, 2025 covering 97,217 individuals. The Worldleaks ransomware group (formerly Hunters International) claimed responsibility and published roughly 2.8 TB of stolen files on its dark-web leak site. Survival Flight is offering 24 months of complimentary Cyberscout (TransUnion) credit monitoring; two plaintiff firms have publicly announced investigations.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 17, 2025

Survival Flight discovers cybersecurity incident affecting its IT systems; third-party forensic experts engaged and law enforcement notified

Jul 17, 2025

Attacker gained access

Aug 12, 2025

Substitute notice posted to survivalflightinc.com from Chandler, Arizona confirming name, address, medical treatment, and health insurance information likely exposed

Sep 12, 2025

Worldleaks (formerly Hunters International) lists Survival Flight on its dark-web leak site and publishes approximately 2.8 TB of stolen files

Sep 15, 2025

HHS OCR breach report filed: 97,217 individuals affected, Hacking/IT Incident, Network Server

Mar 6, 2026

Breach notification reported to the Massachusetts Office of Consumer Affairs and Business Regulation (14 Massachusetts residents) and at least 13 additional state attorneys general including California, Iowa, Maine, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical treatment information / medical records

03

Contact & insurance

Phishing + targeted scams

First and last name Address Financial account information Patient account number Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigation) Shamis & Gentile P.A. (investigation)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Survival Flight, Inc. is an air and ground emergency medical transport provider headquartered at 705 Heber Springs Road, Batesville, Arkansas, with operations spanning roughly eight states: Alabama, Arkansas, Florida, Georgia, Illinois, Missouri, Oklahoma, and Tennessee. Founded in 2010, the company operates a fleet of Bell helicopters and Pilatus PC-12 aircraft delivering 24/7 critical care transport with flight nurses, paramedics, and pilots. The corporate notice was signed out of Chandler, Arizona, which is how the company’s Arizona corporate registration produces an Arizona HHS OCR filing even though the operational headquarters and most patient-base sits in Arkansas and the Southeast. The affected population is patients transported by Survival Flight crews and a smaller set of employees whose data lived on the impacted network.

Timeline

On July 17, 2025, Survival Flight discovered a cybersecurity incident affecting its IT systems, engaged third-party forensic experts to contain and investigate, and notified law enforcement. On August 12, 2025, the company posted a substitute notice from its Chandler, Arizona office confirming that “name, address, medical treatment information and health insurance information was likely exposed for certain patients.” On or about September 12, 2025, the Worldleaks group listed Survival Flight on its dark-web leak site and published approximately 2.8 TB of stolen files. On September 15, 2025, Survival Flight filed its HIPAA breach report with HHS OCR reporting 97,217 individuals affected, categorized as a Hacking/IT Incident at a Network Server. State-level reporting followed across at least 14 state attorneys general: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington, and the Massachusetts Office of Consumer Affairs and Business Regulation (March 6, 2026, covering 14 Massachusetts residents). Individual mailed notification letters followed the August substitute notice.

This is Survival Flight’s second disclosed cyber event inside roughly twelve months. A separate October 2024 email-account incident affected 12,342 individuals and remains a distinct OCR filing; it is not consolidated with the 2025 network-server intrusion.

About the Worldleaks group: Worldleaks launched January 1, 2025 as a direct rebrand of Hunters International, a ransomware-as-a-service operation active since late 2023 that was itself believed to be a successor to the Hive ransomware group dismantled by the FBI in 2023. Rather than encrypting files, Worldleaks operates a pure data-extortion model. It runs a proprietary “Insider journalist portal” that grants media outlets 24-hour advance access to stolen data before it is published on the main leak site, amplifying reputational damage. As of October 2025 Worldleaks remained active. Independent security researchers at Group-IB, SecurityWeek, and Halcyon have confirmed the Hunters International rebrand and the shift to encryption-less extortion.

What was exposed

The August 12 substitute notice publicly names a narrower set than the data later observed in the Worldleaks leak and the individual notification letters subsequently mailed. Synthesizing the entity’s substitute notice with state attorney general filings and independent reporting on the published dataset, exposed elements include:

  • First and last name
  • Address
  • Date of birth
  • Social Security number
  • Financial account information (including some payment-card information for transported patients)
  • Patient account number
  • Medical records and treatment information
  • Health insurance information

Air-ambulance records are unusually dense. They typically capture the chief complaint, on-scene clinical assessment, vital signs, interventions and medications administered, receiving facility, and the responding flight or ground crew narrative. The full identity stack (name + DOB + SSN + financial account) is the highest-risk combination for synthetic-identity creation and tax-refund fraud, and the medical detail makes medical-identity fraud durable for years after the headline news cycle ends.

What Survival Flight is offering

  • 24 months of complimentary credit monitoring and fraud assistance through Cyberscout (a TransUnion brand). Individual notification letters include a unique enrollment code with a 90-day activation window.
  • Dedicated assistance line: 1-833-844-8218, Monday through Friday, 8:00 a.m. to 8:00 p.m. ET.
  • Network remediation: containment, third-party forensic review, additional system monitoring, and security hardening as described in the substitute notice.
  • Corporate office: Chandler, Arizona (signatory of the September 2025 notice and the company’s HIPAA point of contact for this incident).

Class-action posture

No consolidated class action has been publicly docketed and reported in established trade press as of this writing. Two plaintiff firms have publicly announced investigations soliciting affected individuals:

  • Strauss Borrelli PLLC — investigation page dated October 21, 2025.
  • Shamis & Gentile P.A. — claims intake referenced in ClaimDepot’s investigation listing.

Survival Flight’s profile — six-figure affected count, ransomware exfiltration with data already published on a dark-web leak site, SSNs and financial account information at issue — typically draws putative class complaints in either the U.S. District Court for the District of Arizona (corporate venue) or the Eastern District of Arkansas (operations hub). This page will be updated when a complaint is filed.

What to do

  1. Place free credit freezes at Equifax, Experian, and TransUnion. Ten minutes per bureau, no cost, and the highest-leverage protection against the SSN + DOB + financial account combination Worldleaks published.
  2. Enroll in the 24 months of Cyberscout / TransUnion credit monitoring included with your notification letter. The activation code is time-limited (90 days from the letter date).
  3. Watch your Explanation of Benefits and pharmacy records for transports, claims, or prescriptions you did not receive. Medical-identity fraud often surfaces in EOBs months after a leak.
  4. Replace any compromised financial accounts flagged in your letter, and set transaction alerts on the accounts that remain.
  5. Save your notification letter. If a class action is later certified, the notice ID and mailing date are needed to file a claim.
  6. Stop the ongoing flow of your medical data. HealthConsent files HIPAA right-to-restrict and accounting-of-disclosures requests across providers, insurers, EMS billing networks, and prescription clearinghouses so that a single intrusion stops cascading into new exposures.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.