Full Report
Sunflower Medical Group said it initially discovered the breach on January 7 and hired a cybersecurity firm to investigate before it was discovered the hackers had been inside their systems since mid-December.
Analysis Summary
# Incident Report: Sunflower Medical Group Data Breach and Ransomware Extortion
## Executive Summary
A Kansas-based healthcare provider, Sunflower Medical Group, suffered a data breach initiated in mid-December, impacting nearly 221,000 patients. The breach was discovered in January, and later attributed to the Rhysida ransomware group, which exfiltrated sensitive patient data and demanded an $800,000 ransom. The organization notified affected parties and offered credit monitoring, though no operational impact was publicly reported.
## Incident Details
- Discovery Date: January 7, 2025
- Incident Date: On or around December 15, 2024
- Affected Organization: Sunflower Medical Group
- Sector: Healthcare
- Geography: Kansas, USA
## Timeline of Events
### Initial Access
- Date/Time: Mid-December 2024 (exact date unknown, breach began around December 15)
- Vector: Not explicitly stated, assumed associated with Rhysida ransomware operations.
- Details: Hackers gained unauthorized access to Sunflower’s internal systems.
### Lateral Movement
- Details: The group maintained access from December 15 until discovery in January, during which they made copies of Sunflower’s files.
### Data Exfiltration/Impact
- Date/Time: Ongoing between mid-December and January 7.
- Details: Attackers successfully exfiltrated sensitive patient data, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical information, and health insurance details.
### Detection & Response
- Date/Time: Discovered January 7, 2025.
- Details: The organization detected unauthorized activity, hired a cybersecurity firm for investigation, and subsequently notified regulatory bodies in Maine, Vermont, and California, and posted a public notice. Rhysida claimed responsibility in January, threatening to leak data if an $800,000 ransom was not paid.
## Attack Methodology
- Initial Access: Unknown (Attribution to Rhysida ransomware group suggests standard initial access vectors such as exploiting external-facing vulnerabilities or phishing, but not specified in the text).
- Persistence: Maintained access from mid-December through at least January 7.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Implied by the scope of data collection across the organization.
- Collection: Hackers made copies of Sunflower’s files.
- Exfiltration: Data was exfiltrated prior to detection.
- Impact: Data theft and attempted extortion via the Rhysida ransomware group.
## Impact Assessment
- Financial: An $800,000 ransom demand was made by the threat actor, although it is unknown if this was paid. Costs related to investigation, notification, and offering credit monitoring apply.
- Data Breach: Exposure of sensitive PII and PHI for nearly 221,000 patients. Data included SSNs, DOBs, and medical/insurance information.
- Operational: The report notes the company has not reported any operational issues *since* December, suggesting either the attack was limited to data theft (not denial of service/encryption) or that operational continuity planning mitigated downtime.
- Reputational: Notification to regulators and victims, and public reporting of the incident.
## Indicators of Compromise
- *Note: Specific IoCs (IPs, URLs, file hashes) were not provided in the source text.*
- Behavioral indicators: Unauthorized access and file staging occurring between December 15 and January 7.
- Threat Actor: Rhysida ransomware gang.
## Response Actions
- Containment: Implied by the investigation starting January 7, though specific technical containment steps (e.g., segmenting networks, disabling accounts) are not detailed.
- Eradication: Not detailed.
- Recovery: Not detailed, though operations seemingly stabilized without major reported disruption. The organization offered one year of credit monitoring services to all victims for whom they had valid addresses.
## Lessons Learned
- Threat Actor Persistence: Attackers maintained access for approximately three weeks before internal detection.
- Proactive Hardening: The incident highlights the need for robust internal detection capabilities, as the breach was active for several weeks before discovery.
- Ransomware Targeting: The healthcare sector remains a prime target for financially motivated groups like Rhysida.
## Recommendations
- Implement enhanced monitoring and logging across the network perimeter and internal systems to reduce the dwell time observed in this incident.
- Review and strengthen access controls and privileged account management, especially given the sensitive nature of the data targeted (SSNs, PHI).
- Evaluate backup and recovery strategies, ensuring segmentation and offline copies are protected, separate from the ransom attempt.
- Consider multi-factor authentication implementation across all critical systems to mitigate lateral movement pathways.