Sunflower Medical Group is dealing with a class action lawsuit because of a recent data breach affecting the protected health information (PHI) of about 221,000 present and past patients. Sunflower Medical Group’s private specialized medical center is located in four areas in Kansas. The data breach happened on December 15, 2024, but was identified only after three weeks. As per Sunflower Medical Group, unauthorized access was blocked immediately when discovered on January 7, 2025.
The hacker accessed names, birth dates, addresses, driver’s license numbers, Social Security numbers, medical data, and medical insurance details. Sunflower Medical Group mailed notification letters to the impacted persons on March 7, 2025, and offered free credit monitoring and identity theft protection services to those whose Social Security numbers were compromised. The data breach report submitted to the HHS Office for Civil Rights indicated that the PHI of 220,968 people was affected.
A few days after mailing the notifications, the John Crisp v. Sunflower Medical Group, P.A. lawsuit was submitted in the U.S District Court for the Western District of Missouri. The lawsuit states the defendant could not fulfill its responsibilities to safeguard sensitive information from unauthorized access because of insufficient security strategies. The lawsuit states that the breach notification letters did not mention the steps to strengthen security, and that only some impacted persons received identity theft protection and credit monitoring services.
The lawsuit states that the plaintiff and class members have experienced injuries due to the data breach, such as the continuing threat of identity theft and fraud through the misuse of their information; losing the ability to control the use of their personal data and PHI; personal expenditures for attempting to stop the misuse of their information; a delay in getting tax refund payments; and lost time and money for attempting to mitigate the aftereffects of the breach.
Considering the associated risk of healthcare data breaches, the lawsuit states the defendant should have known about the hackers’ attacks yet did not adhere to FTC policies and industry requirements. The lawsuit likewise alleged Sunflower Medical Group committed 10 violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. The litigation also mentioned the long time it took for the medical group to discover the compromise of the affected individuals’ sensitive data. The provider mailed notification letters two months after discovering the breach and 82 days after the data breach took place. The lawsuit states that because of the delay, class members lost the ability to mitigate their injuries promptly.
The lawsuit alleges breach of implied contract, claims of negligence, privacy violation, breach of fiduciary duty, and unjust enrichment. The plaintiffs want a jury trial, compensatory damages, attorneys’ fees, credit monitoring services, and injunctive relief mandating Sunflower Medical Group to follow industry-standard security procedures, which may include HIPAA certification.
