Sunflower Medical Group has confirmed a significant data breach that exposed comprehensive personal and medical information for nearly all of its patients. The cyber attack, which occurred between December 15, 2024, and January 7, 2025, compromised sensitive data including full names, addresses, Social Security numbers, driver's license numbers, dates of birth, health insurance information, and medical records.
The medical group, which specializes in internal medicine, family practice, pediatrics, and obstetrics and gynecology, discovered suspicious network activity on January 7, 2025. After engaging a third-party forensic cyber investigator, the organization confirmed a foreign, malicious agent had infiltrated its network.
On March 7, 2025, Sunflower Medical Group notified the Maine Attorney General about the data compromise and subsequently informed potentially affected patients. The extensive nature of the stolen information significantly increases the risk of identity theft and potential medical fraud for those impacted.
The data breach has attracted legal attention, with Kantrowitz, Goldhamer & Graifman, P.C. considering a class-action investigation into the incident. This potential legal action highlights growing concerns about healthcare organizations' cybersecurity measures and the protection of patient information in an increasingly digital healthcare landscape.
