Two US healthcare organizations have warned threat actors were able to breach their internal systems, exposing more than 300,000 individuals.
On 7 March 2025, Kansas-based healthcare provider Sunflower Medical Group published an alert stating that over 220,000 patients had their personally identifiable information (PII) accessed in a data breach.
An advisory published by the firm revealed it discovered suspicious activity within its network on 7 January 2025 and engaged a leading security firm to conduct an investigation.
The subsequent investigation found an unknown third party had accessed Sunflower’s systems around 15 December 2024 and was able to copy files from the firm's internal systems while doing so.
The advisory stated that the specific information accessed by the attackers varied by individual, but could include their name, address, date of birth, social security number (SSN), driver’s license number, medical information, and health insurance information.
Sunflower said it has contacted the affected individuals for whom it had valid mailing addresses to notify them of their potential exposure and offer identity theft protection services to those whose SSNs and driver’s licenses were compromised.
It added that the firm has not found any evidence of personal information being abused by threat actors, but advised continued vigilance from affected individuals.
Rhysida linked to two breaches announced on the same day
The Rhysida ransomware group claimed responsibility for the attack back in January 2025 when it listed Sunflower on its leak site, stating the stolen information was available to the highest bidder.
The post claimed the group had stolen an SQL database consisting of more than 3TB of data and was in possession of 400,000 driver’s licences, insurance cards, and SSNs.
On the same day, another healthcare organization specializing in mental illness and addiction, the Community Care Alliance, informed authorities that it too had been breached in July 2024.
The company told authorities that just under 115,000 individuals were affected by the breach.
RELATED WHITEPAPER
“On or around January 8, 2025, we completed our investigation and determined the types of information potentially affected may include individuals’ name and one or more of the following: address, date of birth, driver’s license number, Social Security number, diagnosis/condition, lab results, medications, patient ID number, health insurance information, provider name and/or other treatment information,” the firm advised.
The Rhysida gang also claimed responsibility for this attack, claiming it had a 2.5TB SQL database available for sale.
The group was first observed in the summer of 2023, rising to fame after its notable attack on the British Library which crippled its online information systems and led to the release of 600GB of material online.
CISA has highlighted that the Rhysida ransomware gang has established a reputation for impacting “targets of opportunity” including organizations in the education, healthcare, manufacturing, information technology, and government sectors.
MORE FROM ITPRO
- 12,000 API keys and passwords were found in a popular AI training dataset
- Cobalt Strike abusers have been dealt a hammer blow
- Malware-free attacks surged in 2024 as attackers drop malicious software for legitimate tools
-
DocuWare CEO Michael Berger on the company’s rapid growthNews ChannelPro sat down with DocuWare CEO Michael Berger to discuss the company's rapid growth and channel strategy.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
Cyber attack delayed cancer treatment at NHS hospitalNews A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
-
Five ways cyber criminals target healthcare and how to stop themSupported content Medical institutions are among the top targets for threat actors, here five major threats facing the healthcare sector and what organizations can do to stay secure
-
Protecting healthcare from cybercrimeWhitepaper Best practices to address evolving cyber security threats
-
Critical vulnerabilities in Philips EMR system could risk patient dataNews CISA has warned that hackers could extract info from medical databases or mount DoS attacks
-
Large US businesses are hackers' ideal ransomware targetsNews Research into dark web ads finds organizations in English-speaking countries are top targets
