Woods Lonergan PLLC Announces Investigation into Sunflower Medical Group Data Breach for Potential Class Action

By James Woods
Managing Partner

NEW YORK, NY – [March 12, 2025] – Woods Lonergan PLLC, a leading complex litigation firm, including class action lawsuits and data privacy litigation, is actively investigating a class action lawsuit against Sunflower Medical Group, a Kansas-based multi-specialty medical group, following a significant data breach that exposed the personal and protected health information (PHI) of over 220,000 patients. The breach potentially compromised a wide range of highly sensitive data, including:

Full Names
Addresses
Dates of Birth
Social Security Numbers (SSNs)
Driver’s License Numbers
Medical Information
Health Insurance Information

If you or a family member received a data breach notification letter from Sunflower Medical Group concerning the recent cyberattack, your personal and medical information may be at risk. Contact Woods Lonergan PLLC, a leading firm in data breach litigation, to discuss your legal options. Please Call Woods Lonergan PLLC at 212-684-2500 to speak with our Data Breach Litigation Team today.

Jump to a Topic

Details of the Sunflower Medical Group Data Breach and Alleged Negligence

Sunflower Medical Group operates four urgent care locations and multiple facilities that cover primary care, obstetrics, and lab tests in Kansas City, Lenexa, and Roeland Park, Kansas. Despite its responsibility to protect patient data, the organization experienced a significant security failure. Sunflower Medical Group has posted information regarding the data security incident on its website: https://sunflowermed.com/data-security-incident/.

The Timeline of the Breach Highlights Potential Negligence:

Sunflower Medical Group Breach Start Date: December 15, 2024
Sunflower Medical Group Breach Discovery Date: January 7, 2025
Sunflower Medical Group Notification Date: March 11, 2025
Sunflower Medical Group Notification: 64 days (From Discovery to Notification)

This 64-days between the discovery of the breach and notification to potentially affected individuals is a serious concern. Although Data Breaches Notifications are regulated federally, and vary by state, they typically follow a 30-45 day consumer notification timeline, Kan. Stat. § 50-7a01 et seq, Kansas requires businesses to notify affected residents “in the most expedient time possible and without unreasonable delay” following the discovery of a data breach. The breach also likely affects residents of Kansas City, Missouri, given the proximity of Sunflower Medical Group’s facilities

The Rhysida ransomware group claimed responsibility for the attack, listing Sunflower Medical Group on its data leak site on January 7, 2025, the same day Sunflower Medical Group reported discovering the breach.

The Rhysida ransomware gang threatened to leak the stolen data if a ransom of about $800,000 was not paid. Rhysida claimed to have exfiltrated a 3-terabyte SQL database containing the data of approximately 400,000 individuals, although Sunflower Medical Group reported a lower number of 220,968 affected individuals to the Maine Attorney General.

When Rhysida leaked the data, they claimed they had 7.6 TB, consisting of 5,277,062 files. This discrepancy between the number of individuals claimed by Rhysida and the number reported by Sunflower Medical Group, as well as the larger amount of data leaked, raises questions about the thoroughness of the company’s data management and breach assessment.

Rhysida subsequently leaked what they described as “more than 400,000 driver’s licenses, insurance cards, SSN, and other files” — including an Sql database that was more than 3 TB. DataBreaches.net examined the data leak and confirmed it included “entire backups… folders with driver’s licenses and insurance cards… [and] folders with patient complaints and other correspondence concerning named patients.”

Rhysida has a history of targeting healthcare organizations, with recent victims including Community Care Alliance and Ann & Robert H. Lurie Children’s Hospital in Chicago.

The fact that Sunflower Medical Group offered credit monitoring services only to those whose SSNs or driver’s license numbers were involved is also concerning. This suggests a potential downplaying of the risk to individuals whose other sensitive data (medical information, health insurance details) was exposed.

“Ransomware groups like Rhysida are increasingly targeting healthcare providers, recognizing the value and sensitivity of the data they hold,” said Eduard Kovacs, SecurityWeek, March 12, 2025. “The exfiltration of such a large volume of data, including entire backups, points to potential weaknesses in Sunflower Medical Group’s data security posture.”

Patient Care Affected by the Sunflower Medical Group Data Breach

Medical,
Primary Care,
Obstetrics, and
Lab Testing.

Potential Impact on Victims of the Sunflower Medical Group Data Breach

The Sunflower Medical Group data breach places over 220,000 individuals at significant risk of:

Medical Identity Theft: Stolen PHI can be used to obtain medical services, prescriptions, or equipment fraudulently, potentially leading to inaccurate medical records and financial burdens for victims.
Financial Identity Theft: Stolen SSNs and other PII can be used to open fraudulent accounts, apply for loans, and commit other forms of financial fraud.
Targeted Phishing Attacks: The detailed personal and medical information makes victims highly susceptible to sophisticated phishing and social engineering attacks.
Privacy Violations and Potential Blackmail: The exposure of sensitive medical information and personal correspondence can lead to significant privacy violations and even potential blackmail.
Emotional Distress and Anxiety: The breach of such personal and private information can cause significant emotional distress and anxiety for victims.

Legal Claims in the Sunflower Medical Group Data Breach

Woods Lonergan PLLC’s Data Breach attorneys are focused on potential violations of:

HIPAA (Health Insurance Portability and Accountability Act): Sunflower Medical Group, as a covered entity, has a legal obligation to protect patient PHI under HIPAA.
State Data Breach Notification Laws: Violations of relevant state laws (Kansas, and potentially other states where affected individuals reside) requiring timely notification and adequate data security measures.
Negligence: Sunflower Medical Group’s failure to adequately protect sensitive data, its failure to detect the breach promptly, and its potentially inadequate response to the breach.
Breach of Contract: Potential breach of implied or express contracts with patients to protect their confidential information.
Other Potential Claims: Depending on the specific circumstances and applicable state laws, additional claims may be possible.

“The delayed notification, along with the appearance of Sunflower Medical Group patient data on the dark web, raises serious concerns. Limiting credit monitoring to only those with exposed SSNs or driver’s licenses potentially minimizes the risk to all affected individuals. These individuals must understand their legal rights. Woods Lonergan PLLC is committed to full accountability and just compensation.” – Jim Woods, Managing Partner, Woods Lonergan PLLC

Contact our Data Breach Litigation Team

If you or a family member received a data breach notification letter from Sunflower Medical Group concerning the recent cyberattack, your personal and medical information may be at risk.

Contact Woods Lonergan PLLC, a leading firm in data breach litigation, to discuss your legal options at 212-684-2500 to speak with our Data Breach Litigation Team today.

About Woods Lonergan PLLC

Woods Lonergan PLLC is a leading New York-based litigation firm specializing in class action lawsuits and data privacy litigation. With over 30 years of experience, our firm is a leader in complex litigation and trial law in the New York Metro Area, collaborating with co-counsel throughout the United States.

Our firm is currently representing plaintiffs in the 23andMe data Breach Lawsuit, wherein a proposed settlement of $30 million dollars is pending approval in the U.S. District Court for the Northern District of California. Woods Lonergan has a proven track record of successfully holding large corporations accountable for failing to protect highly sensitive consumer data.

Contact Woods Lonergan PLLC, a leading firm in data breach litigation, to discuss your legal options. Please call Woods Lonergan PLLC at 212-684-2500 to speak with our Data Breach Litigation Team today.

Citations

About the Author

James Woods, Managing Partner of Woods Lonergan, holds more than 25 years of experience in corporate, real estate, and business legal matters. His expertise in handling negotiations, litigation, jury trials, and all forms of alternative dispute resolution spans multiple areas, including corporate, real estate, and commercial litigation. James actively represents dozens of Cooperative and Condominium Boards and serves as counsel to many Corporate Boards. Prior to founding the firm, James proudly served as an Assistant District Attorney for Nassau County and handled both jury and bench trials. With experience that also covers sophisticated transactions and complex acquisitions, James also serves as counsel to several domestic companies in a range of industries and commercial arenas, including real estate, insurance, banking, transportation, and construction. If you have any questions about this article you can contact attorney James Woods through his biography page.