Two recent breaches involving plastic surgery practices in California have leaked patient data. One of the breaches is by a well-known group that has done such things before. The other incident is by an unnamed individual or group. Both leaks contain some sensitive private images or videos in addition to patient data.
On June 21, BlackCat (AlphV) threat actors added Beverly Hills Plastic Surgery to their leak site. “We have lots of PII and PHI, including a lot of pictures of patients that they would not want out there,” the listing read. “It be in your best interest to reach out before we release all data. Leak to follow if no contact made.”
On July 8, that text was replaced with a different message: “Dr. David Kim and Dr. Eugene Kim does not care about patient privacy. Only fill they pockets with money,” BlackCat claimed in their usual insulting manner.
The revised listing was accompanied by a number of screencaps. Not all of the screencaps seem to be internal documentation or typical before and after surgery photos that a plastic surgeon might have in their gallery. A few of the screencaps appeared to be personal photos that would be tagged NSFW (Not Safe For Work).
To date, the doctors do not appear to have acknowledged any breach or provided any notice to HHS or the California Attorney General’s Office. Nor have they responded to an inquiry from DataBreaches. Because the doctors or practice have not disclosed or confirmed any breach, we do not know when the breach actually occurred or how many patients were affected.
A Second Plastic Surgery Practice Gets Hit
Three days after BlackCat added Beverly Hills Plastic Surgery to their leak site, counsel for Gary Motykie, M.D. submitted a breach notice to the Maine Attorney General’s Office. The notice stated that on or about May 9, Dr. Motykie learned that a third party was in possession of patient data. A subsequent investigation revealed that patient information, including name, Social Security Number, address, driver’s license or identification card number, financial account or payment card number, in combination with any required CVV code, intake forms including medical information and history, images taken, and health insurance information might all have been compromised for some patients.
On July 12, Dr. Motykie’s counsel updated their report to reveal 3,461 patients had been affected by the breach that occurred on April 13. The draft notification letter appended to the submission to the state was unchanged and the third party or bad actor was not named.
There is no notice on Dr. Motykie’s website. There has been no press release that DataBreaches could find. And there was nothing in his letter to patients that told them that their sensitive personal and medical data was not only acquired but was leaked on the internet.
Instead, some of his patients found out from each other and the media that when Dr. Motykie wouldn’t pay a demand of $2.5 million, nude pictures of patients with their information and files were uploaded to a clearnet leak site. Every few days, beginning June 5, more photos and patient files were added. The most recent files were added on July 7. On or about June 7 or 8, patients reportedly received phone calls and/or emails pointing them to the leak site and telling them they could pay to have their files removed. And if they wanted to remove all the files, well, they could pay $800,000. No one seems to have taken them up on that option, but three blank spaces in the array of pictures suggest that three patients may have paid to have their images and files removed from the leak site after they were posted.
[A note to patients considering paying the blackmailer to remove their data: In general, experts strongly advise victims NOT to pay to have their data deleted. Criminals often lie about deleting data, and once you pay, you’ve shown them that you are willing to pay so they may come back and try to blackmail you again. And even if you get the files removed now, they may have already been scraped (copied) by others who may then also leak the data or try to use it to blackmail you. It’s a terrible situation to be in, but paying may not help and may make you a target for further blackmail attempts.]
Most of the patient pictures on the leak site are facial pictures or breast pictures. Under each is the patient’s name, date of birth, phone number, and email address. Clicking on the patient’s picture opens a web page with links to all of the patient’s photos and documents. A detective involved in the case reportedly told patients that they had been unable to get the site removed because it was operating out of Russia.
Above the patient photos on the leak site are prominently displayed links to photos and videos of the doctor engaged in sexual activities as well as photos and videos of his brother engaged in intimate activities (all NSFW and viewer caution advised). Whether they were on the server with patient photos or the bad actor was able to also access a personal server is unknown to DataBreaches.
The existence of the leak site would probably have flown under the media radar had it not been for a patient talking to the press after they found out about it from another patient who had already heard about the site from the bad actor.
Is the Motive for Both Breaches Purely Financial?
It is not unheard of for bad actors to reach out to blackmail patients directly by contacting them and claiming they will delete their data if the patient pays them. DataBreaches has reported on such cases involving a Lithuanian plastic surgery clinic, a UK plastic surgery clinic, a Finnish psychotherapy center, a Florida center for facial restoration, and a Pennsylvania cancer center. And just yesterday, we saw BlackCat claiming they will be directly contacting patients at an Alabama behavioral health center (a listing they subsequently removed because the affiliate violated their rules by attacking a non-profit).
It’s also not unheard of for bad actors to leak nude photos of patients so that patients will put more pressure on entities to pay the bad actors or to pay the hackers themselves. DataBreaches has reported on a number of incidents where attackers directly address patients and tell them to contact the entity to urge them to pay. DataBreaches is not aware of any incidents where that strategy has worked.
But the Motykie incident seems to be a bit different. No named group has claimed responsibility for the attack. Perhaps someone from a known group is testing out a new strategy, but someone spent a good chunk of time creating that leak site and uploading individual patient webpages and files in an organized way. The established ransomware teams or individuals do not use WhatsApp or skiff.com for victims to contact them, but again, could someone be testing a new strategy? And then there are the very very personal photos and videos involving the doctor and his brother that raise questions as to whether the attacker had some personal motive to really harm the doctor’s reputation or if this is just more escalation to pressure the doctor to pay by exposing him in private moments.
DataBreaches reached out to the email address on the leak site to ask the leaker some questions. No reply was received. Inquiries were also sent to the brother’s attorney and to Dr. Motykie via contact forms on their respective websites. No replies have been received by publication.
Unsurprisingly, at least one lawsuit against the doctor has already been filed.
Plastic Surgeons: Secure Your Patient Data Better!
Over the years, DataBreaches has reported on a number of breaches involving plastic surgeons who, to advertise their work, have a gallery of before and after pictures of some of their clients. Practices reported on this site have generally used poor privacy protection for nude photos: they often upload identifiable pictures of their patients, sometimes with filenames or metadata that include the patient’s name. They may wrongly assume that that is safe to do so because they will only be displaying a portion of the image in the gallery — like a screencap of the nasal area or breast area without the rest of the photo. But there are full and identifiable patient photos sitting on their server, unencrypted, just waiting for someone to come along and hack the server and then attempt to blackmail the doctor(s) or the patients.
DataBreaches does not know what security guidance the American Society of Plastic Surgeons may have ever given its members about storing full and unredacted pictures of nude patients on their servers, even if they are only using a small portion of the image on the public-facing gallery, so we sent an inquiry to them about that specific issue.
An association spokesperson responded:
HIPAA compliance is vital for any physician practice and patient photography is considered Protected Health Information (PHI). For its members, American Society of Plastic Surgeons provides online resources, articles in our newsletter and several other conduits on an ongoing basis.
So they didn’t really answer the question.
Maybe if they take a look at some of the leaked photos and inappropriate photos that reflect poorly on privacy protection and data security by plastic surgeons, they’ll decide to publish a strong warning about meta data and full unredacted pictures on a server connected to the internet.