An unknown party or parties who created a leak site with nude photos and medical records of a well-known plastic surgeon’s patients have uploaded more of his patients’ photos and records.
In what was their third update to the leak site since June 5, those responsible wrote that they have changed their strategy. Before publishing any more of Dr. Gary Motykie’s patients’ data, the patients will reportedly be given a chance to pay $2500 to get their data deleted and not made public.
They also note that the price for closing the website and deleting all data is $800 000, which they claim is “4-5 months of Gary’s clinic work.” In an email to DataBreaches, they claim that they did not — and do not — lock target’s systems. The price is for deleting data that they exfiltrated.
In that email, they also denied being affiliated with AlphV (who had also hit a plastic surgery group) or any other ransomware group. They claim that they are an independent group. They also reiterated a claim they had made in a previous email that the 3,461 patients reported to HHS do not include patients who had virtual consults with the doctor. DataBreaches has reached out to ask Dr. Motykie if his report to HHS did include virtual consult patients, but no reply was immediately available.
Other details they provided included their response to this site’s inquiry about access. They would not disclose initial access details, but they did disclose something about lateral movement: “It was as easy as it can be,” they wrote. “[the] clinic stored plain text passwords in file on their server and anybody on their network had an access to this file with passwords inside.”
Files attached to their email contained more than a dozen employee or staff login credentials from 2011-2013. Whether those credentials were still working in 2023 is unclear, and DataBreaches has sent them a follow-up inquiry as to whether those old credentials were still working at the time of the attack or if they found newer ones on the server. Either way, they say they no longer have access to the server.
One other question that DataBreaches posed to them concerned the very personal, NSFW sexually explicit videos involving Dr. Motykie and some other videos involving his brother in private moments with his girlfriend. When asked, those responsible for the leak site claimed that Dr. Motykie stored the explicit videos of himself on his work PC and stored the private and sensitive videos of his brother on his OneDrive. Whether Dr. Motykie had his brother’s consent to have or store those videos is unknown to DataBreaches, and the brother’s lawyer had not responded to inquiries. DataBreaches has followed up by asking those responsible for the leak site whether the brother has contacted them at all to request they remove the videos of him.
Three leak sites with nude photos and medical records of plastic surgery patients continue to pose a serious risk to patient privacy as well as the risk of fraud or further blackmail attempts. Did these three surgery practices (Beverly Hills Plastic Surgery, Dr. Gary Motykie, and the Hankins and Sohn Plastic Surgery) adhere to the HIPAA Security Rule in how they protected patient data? Hopefully, HHS will investigate all of these incidents.