Sunflower Medical Group decided to pay about $1,200,000 to resolve a class action lawsuit associated with a ransomware attack in December 2024. The Rhysida ransomware attack resulted in access to the medical group’s network on or about December 15, 2024. Sunflower Medical Group confirmed on January 7, 2025 the theft of sensitive patient information, which includes names, birth dates, addresses, driver’s license numbers, Social Security numbers, medical data, and medical insurance data.
Rhysida said it exfiltrated a 3-terabyte SQL database with approximately 400,000 patients’ data during the ransomware attack. When no ransom is paid, Rhysida tries to sell the compromised information and leaks the unsold information on its dark web data leak page. This was the what happened in this cyberattack. Sunflower Medical Group reviewed the files of 220,968 individual identified to have been affected by the attack, though the lawsuit class size is 255,734 individuals.
Sunflower Medical Group faced multiple class action lawsuits because of the data breach. Because the lawsuits had overlapping allegations, the S.W., et al. v. Sunflower Medical Group, P.A. lawsuit, a consolidation of the lawsuits, was filed in the Circuit Court of Jackson County, Missouri, at Independence. The plaintiffs claimed that Sunflower Medical Group violated the HIPAA Rules because it failed to carry out acceptable and proper security measures as per HIPAA Security Rule requirement. The medical group also did not comply with industry guidelines, did not perform a HIPAA-compliant risk analysis following the attack, and committed other HIPAA Rules violation. The lawsuit stated claims of negligence, negligent training and supervision, breach of implied contract, breach of fiduciary duty of confidentiality, and violation of the Missouri Merchandising Practices Act.
Sunflower Medical Group stated it did no wrong, rejected all claims and allegations in the lawsuit, and maintained no liability. An investigation by the HHS’ Office for Civil Rights into the data breach found that the HIPAA compliance issues did not reach the threshold to deserve a financial penalty. Hence, OCR closed the investigation.
In spite of not agreeing with the claims, Sunflower Medical Group decided to resolve the litigation. All parties agreed to a settlement to steer clear of the costs and risks related to trial and any corresponding appeals. The $1,200,000 settlement fund will pay for the attorneys’ fees and expenditures, settlement management and notification charges, class representatives’ service awards, and the class members’ benefits.
All class members are eligible to get medical data monitoring services for two years, with $1 million medical identity theft insurance coverage and fraud resolution assistance services. Moreover, they can file a claim for a cash payment. The $300,000 cash payments will be reduced pro rata if that claims exceed the cap. Class members may file a claim to reimburse documented, unreimbursed expenses because of the data breach up to $5,000 for each class member, or a one-time $10 cash payment. Additional security measures had been implemented to mitigate the threat of other data breaches.
The last day to file an objection to or exclusion from the settlement is January 26, 2026. Class members may submit claims until March 26, 2026. The schedule of the final fairness hearing is March 6, 2026.
