DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Beverly Hills Plastic Surgeon Jaime Schwartz M.D. Sued for Not Timely Notifying Patients of Two Hacks

Posted on February 22, 2025February 22, 2025 by Dissent

Patients not told their nude photos had been leaked on the internet.

There’s a follow-up on one of the plastic surgery ransomware attacks this site first reported in October 2023 after the Hunters International threat actors added Jaime S. Schwartz, MD, to their leak site with proof of claims.

At the time, Dr. Schwartz’s practice was one of a number of attacks on plastic surgery practices where threat actors posted some nude photos of patients and attempted to extort the surgeons by threatening to post all the patients’ nude photos with their names and details.  And if the physicians refused to pay, some of the threat actors began attempting to extort the patients directly via website posts and phone calls offering to remove their data if the patient paid them.

As DataBreaches reported, Schwartz ignored attempts to acquire further information about the alleged breach and there was no evidence that he reported the incident to the California Attorney General’s Office or the U.S. Department of Health and Human Services. Periodic checks of HHS’s public breach tool found no indication that the incident was reported to HHS’s site for breaches affecting more than 500 patients.

Now CourtWatch, in collaboration with 404 Media, reports that a class action lawsuit has been filed against Schwartz by eight “Doe” patients. The complaint alleges the doctor did not timely notify patients that his practice was allegedly hacked twice by Hunters International.

Hacked Twice

The complaint, which was filed in federal court in the central district of California, alleges that in or about September and October of 2023, Hunters International downloaded 1.1 terabytes of patient data, reflecting almost 250,000 unique files. The private data included, among other things, nude photographs and video of patients taken during the course of treatment, including images with both their faces and private parts visible, and images taken during surgery reflecting their surgical procedures.

That allegation is consistent with what Hunters International (“Hunters”) posted on their leak site and the proof of claims they posted, as DataBreaches reported at the time.

According to the complaint, Schwartz did not notify his patients of the breach at the time or make other required notifications. The plaintiffs allege:

“Approximately six months later, in March of 2024, Dr. Schwartz’s system was hacked a second time. On information and belief, the hackers again gained access to his entire system and all or substantially all patient data,” the complaint alleges. “Once again, however, Dr. Schwartz attempted to sweep the second hack under the rug. He failed to notify his patients as required by federal and state law. He waited to do so until after the hackers posted a public website (the “Hacker Website”), announcing the hack and leaking patients’ names, contact information, and nude photographs, and began contacting his patients directly.”

That last statement is a bit misleading, perhaps, as by November 2023, after the first hack, the threat actors had already posted some nude photos on their leak site.

Listing on Hunters International’s leak site in April 2024. Nude photos of some patients and personal information of Jaime Schwartz, MD redacted by DataBreaches.net. Patients who saw the site saw a message to them saying, “If you find your private data here just email us and we will let you know how to proceed further with actions against this DOCTOR!”

Notifications?

One section of the complaint asserts that defendants were obligated to comply with HIPAA. But although it would seem likely that Schwartz would be a covered entity under HIPAA, there is no evidence on his website that he is. HIPAA covered entities are required to post a HIPAA Privacy Notice on their websites if they have a website. There is no HIPAA notice on Schwartz’s website, and the privacy notice on the site does not mention HIPAA at all.  Nor is there any mention on that site of Schwartz accepting health insurance or billing insurers. If he does not engage in certain electronic transactions, he may not be a HIPAA covered entity, even though he has an NPI number and is a licensed and board-certified plastic surgeon.

But even if it should turn out that Schwartz is not a covered entity under HIPAA, his practice is still subject to California laws and laws of other states that require notification. Yet according to the complaint, not only did Schwartz not notify patients, but when patients called to ask, his staff allegedly minimized the breach, claiming only a few patients were affected.

According to the complaint, in a January 2025 notification to patients, Schwartz writes:

Our office discovered on June 27, 2024, that an unauthorized third party utilized a third-party vendor’s credentials to access the practice’s medical billing and practice management system. Upon discovering the incident, we engaged a specialized third-party forensic incident response firm to conduct a forensic investigation and determine the extent of the compromise. The investigation determined that data was acquired without authorization. After electronic discovery, which concluded on January 2, 2025, it was determined that some of your personal information was present in the impacted data set. We then took steps to notify you of the incident as quickly as possible.

If Schwartz is a HIPAA covered entity, he may find himself in hot water with HHS over these alleged incidents, apart from any civil litigation by plaintiffs. He may also find himself in hot water with California.

A search of Schwartz’s discplinary record shows that he received a public reprimand in February 2024 from the Medical Board of California. The record shows the accusation:

From May 2020 through March 2021, you aided and abetted the unlicensed practice of medicine and violated the ban on the corporate practice of medicine by engaging in a contractual relationship with a lay corporation (Orange Twist, LLC) that directly or indirectly controlled your medical practice at multiple Orange Twist med spa clinic locations throughout California, as more fully described in Accusation No. 800-2021-081344.

The accusation had been filed in February 2023. Schwartz agreed to a stipulated settlement and disciplinary order that required him to pay the board $221,924.75 for the costs of its investigation and enforcement action, to take an education course of his choosing, and a professionalism (ethics) course. No other charges seem to have been filed against him as of publication. Whether his patients may file charges against him with the medical board — or if they already have but it has not yet been made public — remains to be seen.

Schwartz was asked via his site’s contact form if he had any comment on the lawsuit. No reply was immediately available, but this post will be updated if he issues a statement.

Lawsuits against other plastic surgeons have yet to be resolved, but a lawsuit against Lehigh Valley Health Network that included the leak of nude patient photos by threat actors was recently settled for $65 million.

 

Category: HackHealth Data

Post navigation

← BlackBasta Ransomware Chatlogs Leaked Online
No need to hack when it’s leaking, Monday edition: TeammateApp →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report