News and Analysis

Kansas City, KS-based Sunflower Medical Group has agreed to pay up to $1,200,000 to settle a class action lawsuit stemming from a December 2024 ransomware attack. The ransomware attack was conducted by the Rhysida ransomware group, which gained access to its network on or around December 15, 2024. Sunflower Medical Group determined on January 7, 2025, that sensitive patient data had been stolen, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance information.
Rhysida claimed to have exfiltrated a 3-terabyte SQL database in the attack, containing the data of approximately 400,000 patients. If a ransom is not paid, Rhysida attempts to sell the stolen data and leaks any unsold data on its dark web data leak site, as was the case in this attack. Sunflower Medical Group’s file review identified 220,968 affected individuals, although the class size of the lawsuit is 255,734 individuals.
Several class action lawsuits were filed against Sunflower Medical Group over the data breach. The lawsuits were consolidated into a single complaint – S.W., et al. v. Sunflower Medical Group, P.A. – in the Circuit Court of Jackson County, Missouri, at Independence, as the lawsuits had overlapping claims. The plaintiffs alleged that the HIPAA Rules had been violated, as Sunflower Medical Group failed to implement reasonable and appropriate security measures, as required by the HIPAA Security Rule, did not adhere to industry best practices, failed to conduct a HIPAA-compliant risk analysis after the attack, and committed other violations of the HIPAA Rules. The lawsuit asserted claims of negligence, breach of fiduciary duty of confidentiality, breach of implied contract, negligent training and supervision, and violations of the Missouri Merchandising Practices Act.
Sunflower Medical Group maintains there was no wrongdoing, denies all claims and contentions in the lawsuit, and maintains there is no liability.  The HHS’ Office for Civil Rights launched an investigation into the data breach and provided technical assistance to Sunflower Medical Group on compliance with the HIPAA Rules, indicating that the compliance issues identified did not meet the threshold for a financial penalty. OCR has marked the investigation as closed.
Despite disagreeing with the claims, Sunflower Medical Group agreed to settle the litigation. All parties agreed that a settlement was in the best interests of all parties to avoid the costs and risks associated with trial and any related appeals. The settlement fund will cover attorneys’ fees and expenses, settlement administration and notification costs, service awards to the class representatives, and benefits to the class members. The settlement has been capped at $1,200,000.
All class members are entitled to two years of medical data monitoring services, which include a $1 million medical identity theft insurance policy and fraud resolution assistance services. In addition, a claim may be submitted for a cash payment. The cash payments have been capped at $300,000 and will be subject to a pro rata reduction if that cap is exceeded. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or an alternative one-time $10 cash payment may be claimed. Sunflower Medical Group has also agreed to implement additional security measures to mitigate the risk of a further data breach.
The deadline for objection to and exclusion from the settlement is January 26, 2026. Claims must be submitted by March 26, 2026, and the final fairness hearing has been scheduled for March 6, 2026.
March 26, 2025: Sunflower Medical Group Sued Over 222,000-Record Data Breach
Sunflower Medical Group is facing a class action lawsuit over its recently disclosed data breach involving the protected health information of more than 222,000 current and former patients. Sunflower Medical Group is a private multi-specialty medical practice with four locations in Kansas. The Sunflower Medical Group data breach occurred on December 15, 2024, but was not discovered for more than three weeks. According to Sunflower Medical Group, the unauthorized access was identified and blocked on January 7, 2025.
The hacker was able to access names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance information. Notification letters were mailed to the affected individuals on March 7, 2025, and complimentary credit monitoring and identity theft protection services were offered to individuals whose Social Security numbers were involved. The data breach was reported to the HHS Office for Civil Rights as involving the protected health information of 220,968 individuals.
The lawsuit, John Crisp v. Sunflower Medical Group, P.A., was filed in the U.S District Court for the Western District of Missouri a few days after the notifications were mailed. The lawsuit alleges the defendant failed in its duties to protect sensitive data from unauthorized access due to inadequate security practices. The lawsuit claims that the notification letters failed to state any actions being taken to improve security, and credit monitoring and identity theft protection services were only offered to some of the affected individuals.
The lawsuit claims that the plaintiff and class members have suffered significant injuries as a result of the data breach,  including a significant and ongoing risk of identity theft and fraud from the misuse of their data; loss of the opportunity to control how their personal and protected health information is used; out-of-pocket costs from trying to prevent the misuse of their data; a delay in receipt of tax refund monies; and lost opportunity costs from spending time trying to mitigate the fallout from the breach.
Given the high risk of healthcare data breaches, the lawsuit claims the defendant should have been aware that it could be targeted by hackers, yet failed to follow FTC guidelines and industry standards. The lawsuit also claims the medical group was in violation of the Health Insurance Portability and Accountability Act (HIPAA), drawing attention to 10 alleged violations of the HIPAA Rules. The lawsuit also took issue with the length of time it took for the affected individuals to discover their sensitive data had been compromised. Notification letters were mailed two months after the breach was detected and 82 days after the breach occurred. The lawsuit claims the delay deprived class members of the opportunity to mitigate their injuries in a timely manner.
The lawsuit asserts claims of negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty, and seeks a jury trial, compensatory damages, credit monitoring services, attorneys’ fees, and injunctive relief requiring Sunflower Medical Group to implement industry-standard security measures.
The post Sunflower Medical Group to Pay Up to $1.2 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.