Sunflower Medical Group 2025 Data Breach

Sunflower Medical Group Breach (2025): 221K Patient Records Including Medical Diagnoses, SSN & Driver's License Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

RhysidaRansomware / ExtortionMedicalAccount BalanceDate of BirthDriver's LicenseEmail AddressFull NameHealth InsuranceMedical Diagnosis
High SeverityWebsite / service breach

Sunflower Medical Group Breach (2025): 221K Patient Records Including Medical Diagnoses, SSN & Driver's License Exposed

Primary and specialty care medical group.

Verified by ObscureIQ Intelligence
75/100Breach Risk Index
60Data Value
25Market Recency
483dSince Breach

Breach Intelligence Summary

Entity: Sunflower Medical Group · Actor: Rhysida · Sources: 2 references
Attack: Ransomware / Extortion
Profile: Healthcare provider · Primary and specialty care services · Medical practice network · USA
Timeline: Breach (2025-01-07) · Year (2025)
Exposure: 221K records · 10 fields: Account Balance, Date of Birth, Driver's License, Email Address, Full Name, Health Insurance, Medical Diagnosis, Phone Number, Physical Address, Social Security Number
Status: Confirmed

Executive Summary

Kansas-based Sunflower Medical Group detected unusual network activity on January 7, 2025 and determined an unauthorized party had accessed its systems around December 15, 2024, copying files with sensitive personal information. The Rhysida ransomware group claimed responsibility, advertising an exfiltrated ~3 TB SQL database (claimed to hold data on roughly 400,000 patients). Sunflower filed a breach notice with the Maine Attorney General on March 7, 2025 and notified affected individuals. Official filings put the affected count at 220,968; a DataBreach.com parse recorded 356,822. Exposed data included names, addresses, dates of birth, Social Security numbers, driver's license numbers, medical information, and health insurance information. The company later agreed to a class-action settlement of up to $1.2 million.

ObscureIQ assessment: Severe risk of identity theft, medical fraud, insurance abuse, and targeted healthcare scams. Care-network data can also expose ongoing treatment relationships.

Breach Impact

The exposure combined identity, government-ID, and clinical data (Social Security numbers, driver's licenses, medical information, health insurance) for more than 220,000 patients, creating severe identity-theft, medical-fraud, and insurance-abuse risk. Rhysida's exfiltration of a multi-terabyte database and its offer for sale heighten the likelihood of downstream misuse, and the breach generated significant class-action liability.

About Sunflower Medical Group

Sunflower Medical Group is a Kansas-based primary and specialty care medical practice providing outpatient healthcare across multiple clinics. It maintains patient identity, contact, insurance, billing, scheduling, and treatment records spanning primary and specialty care relationships.

Why They Hold Your Data

Medical practice networks collect patient identity, contact, insurance, billing, appointment, and treatment records across primary and specialty care operations.

Recent Developments

After the December 2024 intrusion (detected January 7, 2025), Sunflower notified affected individuals, filed with state regulators, and offered identity-theft protection. It later agreed to a class-action settlement of up to $1.2 million. The Rhysida ransomware group claimed the attack and advertised a 3 TB SQL database for sale.

Data Points Exposed

10 verified field types
Account Balance High
Date of Birth High
Driver's License Critical
Email Address
Full Name High
Health Insurance
Medical Diagnosis Critical
Phone Number
Physical Address High
Social Security Number Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Medical identity fraud and insurance abuse using medical and insurance data
  • Identity theft and synthetic identity construction using SSN, DOB, and driver's license
  • Identity verification bypass using name + DOB + government ID
  • Targeted phishing and vishing referencing medical care
  • Doxxing and physical targeting from exposed home addresses
Threat vectors:
  • Medical extortion, insurance fraud & discrimination
  • Full identity theft & synthetic identity fraud
  • Identity fraud with official bodies
  • Identity verification bypass
  • Name-based social engineering
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat

Threat Actor: Rhysida

Rhysida
Ransomware / Extortion

Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware / Extortion.

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.

Frequently Asked Questions

What happened in the Sunflower Medical Group breach?

Kansas-based Sunflower Medical Group detected unusual network activity on January 7, 2025 and determined an unauthorized party had accessed its systems around December 15, 2024, copying files with sensitive personal information. The Rhysida ransomware group claimed responsibility, advertising an…

What data was exposed?

Verified fields include Account Balance, Date of Birth, Driver's License, Email Address, Full Name, Health Insurance, Medical Diagnosis, Phone Number, Physical Address, Social Security Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation