Two US healthcare organizations have warned threat actors were able to breach their internal systems, exposing more than 300,000 individuals.
On 7 March 2025, Kansas-based healthcare provider Sunflower Medical Group published an alert stating that over 220,000 patients had their personally identifiable information (PII) accessed in a data breach.
An advisory published by the firm revealed it discovered suspicious activity within its network on 7 January 2025 and engaged a leading security firm to conduct an investigation.
The subsequent investigation found an unknown third party had accessed Sunflower’s systems around 15 December 2024 and was able to copy files from the firm's internal systems while doing so.
The advisory stated that the specific information accessed by the attackers varied by individual, but could include their name, address, date of birth, social security number (SSN), driver’s license number, medical information, and health insurance information.
Sunflower said it has contacted the affected individuals for whom it had valid mailing addresses to notify them of their potential exposure and offer identity theft protection services to those whose SSNs and driver’s licenses were compromised.
It added that the firm has not found any evidence of personal information being abused by threat actors, but advised continued vigilance from affected individuals.
Rhysida linked to two breaches announced on the same day
The Rhysida ransomware group claimed responsibility for the attack back in January 2025 when it listed Sunflower on its leak site, stating the stolen information was available to the highest bidder.
The post claimed the group had stolen an SQL database consisting of more than 3TB of data and was in possession of 400,000 driver’s licences, insurance cards, and SSNs.
On the same day, another healthcare organization specializing in mental illness and addiction, the Community Care Alliance, informed authorities that it too had been breached in July 2024.
The company told authorities that just under 115,000 individuals were affected by the breach.
“On or around January 8, 2025, we completed our investigation and determined the types of information potentially affected may include individuals’ name and one or more of the following: address, date of birth, driver’s license number, Social Security number, diagnosis/condition, lab results, medications, patient ID number, health insurance information, provider name and/or other treatment information,” the firm advised.
The Rhysida gang also claimed responsibility for this attack, claiming it had a 2.5TB SQL database available for sale.
The group was first observed in the summer of 2023, rising to fame after its notable attack on the British Library which crippled its online information systems and led to the release of 600GB of material online.
CISA has highlighted that the Rhysida ransomware gang has established a reputation for impacting “targets of opportunity” including organizations in the education, healthcare, manufacturing, information technology, and government sectors.
MORE FROM ITPRO
