Kansas City, Mo.-based Sunflower Medical Group is facing a class-action lawsuit for allegedly failing to protect patient and employee data, resulting in a cybersecurity breach that exposed sensitive, personally identifiable information and protected health information, according to court documents accessed by Becker’s.
What happened?
- The breach occurred Dec. 15, 2024, and impacted 220,968 individuals, exposing names, Social Security numbers, driver’s license information, dates of birth, medical records and health insurance details.
- The lawsuit alleges that Sunflower Medical Group did not discover the breach until Jan. 7, 2025, and only began notifying affected individuals March 7, two months later.
- The lawsuit claims Sunflower violated HIPAA by not implementing adequate cybersecurity measures and failing to follow Federal Trade Commission guidelines for consumer data protection.
- The complaint also claims the physician group failed to encrypt data, lacked proper monitoring systems, did not train employees on cybersecurity and had outdated or weak security measures.
What’s next?
- The lawsuit seeks compensatory damages, credit monitoring, improved security measures and long-term audits.
At the Becker's 23rd Annual Spine, Orthopedic and Pain Management-Driven ASC + The Future of Spine Conference, taking place June 11-13 in Chicago, spine surgeons, orthopedic leaders and ASC executives will come together to explore minimally invasive techniques, ASC growth strategies and innovations shaping the future of outpatient spine care. Apply for complimentary registration now.
