Ransomware victim disclosure
← All victimsSunflower Medical Group
Claimed by Rhysida · listed 2 years ago
Status timeline
- ListedJan 7, 2025
- Data leakeddate unknown
At a glance
- Group
- Rhysida
- Status
- Data leaked
- Country
- United States
- Sector
- Healthcare
- Listed on leak site
- Jan 7, 2025
- Data size
- 3 TB
About the victim
AI dossier — public-source company profileSunflower Medical Group is a multi-location primary care and internal medicine practice serving the Kansas City metropolitan area with four urgent care centers. They offer family medicine, pediatrics, obstetrics & prenatal care, laboratory services, and diagnostic imaging across locations in Kansas City KS, Roeland Park, and Lenexa.
- Industry
- Healthcare - Primary Care & Internal Medicine
- Address
- Multiple locations: Kansas City KS, Lenexa West, Roeland Park, Lenexa East
Attack summary
Severity: critical — Confirmed exfiltration of large-scale regulated PII including 400,000+ driver's licenses, insurance cards, and SSNs from healthcare provider. Patient health records and sensitive medical data exposed. Meets critical threshold for regulated healthcare data at scale.Rhysida claims to have exfiltrated 3 TB of patient data including over 400,000 driver's licenses, insurance cards, and social security numbers. The group is advertising the stolen data for exclusive sale to a single buyer.
Data the group says was taken
AI dossier — extracted from the leak post- driver's licenses (400,000+)
- insurance cards
- social security numbers
- patient health records
- SQL database
What the group claims
Sunflower Medical Group With only 7 days to spare, take the opportunity to bet on exclusive, unique, and impressive data. More than 400 thousand driver's licenses, insurance cards, social security numbers. Sql base is more than 3TB. Open your wallets and get ready to buy exclusive data. We sell only to one person, no resale, you will be the only owner!
Sources
- Victim sitesunflowermed.com
Source
Indexed 2 years agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

