Kansas healthcare provider Sunflower Medical Group reports major data breach

Kansas-based Sunflower Medical Group has confirmed a significant data breach that compromised the personal and confidential information of 220,968 individuals. The healthcare provider disclosed the breach to authorities on March 7, 2025, detailing the extent of the security incident and the measures taken in response.

In a public statement titled "Notice of a Data Security Incident," Sunflower Medical Group outlined how the breach was first detected on January 7, 2025, when suspicious activity was identified within its computer network. A subsequent investigation, conducted in collaboration with an unnamed cybersecurity organization, revealed that an unauthorized third party had accessed Sunflower’s systems as early as December 15, 2024. The breach resulted in the exposure of sensitive personal data, including names, addresses, dates of birth, Social Security numbers, medical records, and health insurance details. The extent of compromised information varies for each affected individual.

In response, Sunflower Medical Group has notified impacted individuals and offered complimentary identity theft protection services. While the company stated that there is no evidence of misuse of the stolen data, it advised those affected to monitor their accounts for any suspicious activity and report potential identity fraud to relevant authorities. Sunflower also directed individuals to additional identity protection resources, including information available through the Federal Trade Commission (FTC).

Although Sunflower Medical Group did not confirm the exact nature of the attack or the involvement of ransomware, the Rhysida ransomware gang has claimed responsibility for the breach. On January 7, 2025, ransomware tracking sites circulated screenshots of the group boasting about possessing "exclusive, unique, and impressive data" stolen from Sunflower. The group alleged that it had exfiltrated more than 3 terabytes of data, including a SQL database containing extensive personal and medical records.

The Rhysida ransomware group has been linked to several high-profile cyberattacks since its emergence in 2023. In August 2024, the group targeted the Seattle-Tacoma (Sea-Tac) airport and its overseeing port, demanding a $6 million ransom. Additionally, the group has a history of attacking healthcare institutions, including a breach at London’s King Edward VII Hospital, where they claimed to have obtained sensitive information related to the British royal family.