Healthcare Providers Say Sensitive Data of 335,000 Patients Was Exposed After Rhysida Ransomware Claim

• Kansas and Rhode Island healthcare providers disclosed they were hit by cyberattacks in separate events.
• While neither of them said it was ransomware, the Rhysida gang claimed both of them.
• These breaches collectively exposed the sensitive personal and medical data of almost 335,000 individuals.

Two U.S. healthcare providers, Sunflower Medical Group in Kansas City and Community Care Alliance (CCA) in Rhode Island, started notifying customers that significant ransomware attacks targeted the clinics. 

Both cyberattacks were claimed by the notorious Russian-speaking Rhysida cybercriminal group around the time the security incidents occurred. 

Despite the serious nature of these incidents, neither Sunflower Medical Group nor Community Care Alliance explicitly mentioned Rhysida in their formal disclosures. However, the group has publicly claimed responsibility for both attacks, listing terabytes of stolen data on its dark web leak site for sale.

Sunflower Medical Group, which operates four clinics offering urgent and pediatric care, disclosed that 220,968 individuals were impacted in a breach detected on January 7, 2024. 

The attack, which initially began on December 15, 2024, led to the theft of various sensitive data types, including names, addresses, Social Security numbers (SSNs), driver’s license details, medical records, and health insurance information. Sunflower stated that the data stolen varied by individual.

Similarly, Community Care Alliance reported a breach affecting 114,000 individuals between July 1 and July 5, 2024. The extracted data included SSNs, medical diagnoses, medications, health insurance details, and even financial information such as credit card details. 

CCA confirmed that unauthorized access to its systems occurred, and an internal investigation was finalized six months later, on January 8, 2025. 

Rhysida boasts staggering data volumes on its dark web portal, offering a 3TB SQL database from Sunflower Medical Group and a 2.5TB database stolen from Community Care Alliance. 

According to the group's claims, the Sunflower database includes 400,000 identity documents, such as driver’s licenses, insurance cards, and SSNs, while CCA’s database contains patient records alongside financial information.

Rhysida, a ransomware-as-a-service (RaaS) operation that surfaced in May 2023, has steadily escalated its attacks on critical sectors. Beyond healthcare, Rhysida has attacked schools, local governments, police departments, law firms, and other businesses, many of whom face similar resource constraints.