Sunflower Medical Group receives class action lawsuit over cyber security failings

A class action lawsuit has been filed against Kansas-based Sunflower Medical Group after it failed to protect the sensitive personal information of its patients during a significant cyber security incident.

Earlier this month, Sunflower Medical Group said in a data security incident notice filed with the Office of Maine Attorney General that on January 7, it discovered that threat actors potentially accessed and acquired copies of certain files. The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, secured the affected systems and notified relevant law enforcement authorities about the incident.

“The investigation determined that an unknown third party accessed Sunflower’s systems on or about December 15, 2024, and acquired copies of certain files from our systems as a part of the incident,” the healthcare provider said.

The compromised data included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance information. In its filing with the Maine state regulator, Sunflower said  that it identified at least 220,968 individuals who were impacted by the incident. 

Recently, a class action lawsuit was filed against Sunflower in the U.S District Court for the Western District of Missouri that alleges that Sunflower failed to protect sensitive data from unauthorised access due to inadequate security practices.

The lawsuit, John Crisp v. Sunflower Medical Group, P.A., also claims that the healthcare company failed to state relevant actions being taken to improve its network security in data breach notices sent to affected individuals. Furthermore, credit monitoring and identity theft protection services were only offered to some of the affected individuals.

The Rhysida ransomware Group recently claimed responsibility for the cyber attack on Sunflower and listed it as a victim on its data leak site. The group claimed to be in possession of “more than 400 thousand driver’s licenses, insurance cards, social security numbers” that totalled more than 3 terabytes.

The group gave the healthcare provider a deadline of 6 days to pay a ransom of 10 bitcoins, threatening to leak the stolen data if the company didn’t comply.