Full Report
Survival Flight is an Arizona-headquartered firm that provides ground and air emergency medical transportation services. On August 12, they issued a substitute notice saying that on July 17, they had discovered a cybersecurity incident affecting its IT systems. In their substitute notice, which has not been updated as of this publication, they wrote: The investigation... Source
Analysis Summary
# Incident Report: Second Cybersecurity Incident at Survival Flight (July 2025)
## Executive Summary
Arizona-based emergency medical transportation firm Survival Flight discovered a cybersecurity incident on July 17, 2025, resulting in the likely exposure of patient personal and health insurance information. This marks the second reported data breach for the organization within a year, following a major ransomware attack in October 2024. While the investigation is ongoing, response actions have focused on determining the scope of the compromise and notifying affected parties.
## Incident Details
- Discovery Date: July 17, 2025
- Incident Date: On or before July 17, 2025 (as per substitute notice)
- Affected Organization: Survival Flight
- Sector: Healthcare/Emergency Medical Transportation
- Geography: Arizona-headquartered
## Timeline of Events
### Initial Access
- Date/Time: Pre-July 17, 2025
- Vector: Investigation pending; the report notes this is the *second* attack following a ransomware incident in October 2024.
- Details: The July 2025 incident resulted in unauthorized access to IT systems.
### Lateral Movement
- Details: Not disclosed in the initial substitute notice.
### Data Exfiltration/Impact
- Details: Name, address, medical treatment information, and health insurance information for certain patients were likely exposed. Threat actor "WorldLeaks" claimed responsibility and asserted acquisition of 2.8 TB of files, though this could not be immediately verified.
### Detection & Response
- Date/Time: Discovered on July 17, 2025.
- Details: Survival Flight issued a substitute notice on August 12, 2025. The organization is working to determine the full extent of the affected information and plans to notify individuals. No confirmed instances of fraud or identity theft have been identified as of the notice date.
## Attack Methodology
This report details the methodology for the *July 2025 incident*, though specific techniques are largely undisclosed by the victim:
- Initial Access: Unknown (Report suggests potential similarity to the 2024 attack, but confirmation is pending).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Unknown, but related to patient PII and PHI.
- Exfiltration: Implied by the threat actor's claim of acquiring 2.8 TB of files.
- Impact: Data exposure/theft.
## Impact Assessment
- Financial: Unknown, but an investigation and remediation efforts are underway.
- Data Breach: Likely exposure of patient **Name, Address, Medical Treatment Information, and Health Insurance Information**. The scope (number of patients) is currently unknown/pending reporting to HHS.
- Operational: Potential operational risk due to the need to investigate the breach, especially critical for an emergency medical services provider whose ability to provide timely care could be impacted.
- Reputational: Negative, as this is the second disclosed incident in less than a year.
## Indicators of Compromise
*Note: No specific IOCs were provided in the source article.*
- Network Indicators: None provided.
- File Indicators: None provided.
- Behavioral Indicators: None provided.
## Response Actions
- Containment: Investigation is ongoing (as of August 12, 2025 notice).
- Eradication: Steps taken to reduce the likelihood of future events are implied, but specifics are not detailed.
- Recovery Actions: Survival Flight is determining the full extent of affected information and planning to notify impacted individuals and provide resources.
## Lessons Learned
- **Repeat Offender Risk:** The organization experienced two significant cyber incidents (one ransomware, one likely data theft/extortion depending on the nature of the WorldLeaks claim) in under twelve months, indicating potential systemic vulnerabilities existing after the October 2024 remediation.
- **Incomplete Remediation:** Questions remain regarding the effectiveness of safeguards implemented after the October 2024 ransomware attack, particularly concerning which data was affected (the 2024 incident affected PHI including SSNs, financial info, etc., while the 2025 incident names PII/insurance data).
- **Transparency Concerns:** Initial disclosure via substitute notice was limited and did not acknowledge the threat actor (WorldLeaks) or the scale of the alleged exfiltration (2.8 TB).
## Recommendations
- Conduct a thorough, independent forensic review to definitively establish the initial attack vector and mechanism for the July 2025 incident.
- Review and significantly enhance security controls implemented following the October 2024 incident, focusing on known failure points (e.g., email security, endpoint detection, access controls).
- Ensure timely and transparent disclosure regarding the scale of the breach (number of affected individuals) as soon as it is determined, in compliance with regulations.
- Implement enhanced monitoring to detect precursor or associated activity from threat actors known to have targeted the organization previously.