DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Beverly Hills Plastic Surgeon Jaime Schwartz M.D. Sued for Not Timely Notifying Patients of Two Hacks

Posted on February 22, 2025February 22, 2025 by Dissent

Patients not told their nude photos had been leaked on the internet.

There’s a follow-up on one of the plastic surgery ransomware attacks this site first reported in October 2023 after the Hunters International threat actors added Jaime S. Schwartz, MD, to their leak site with proof of claims.

At the time, Dr. Schwartz’s practice was one of a number of attacks on plastic surgery practices where threat actors posted some nude photos of patients and attempted to extort the surgeons by threatening to post all the patients’ nude photos with their names and details.  And if the physicians refused to pay, some of the threat actors began attempting to extort the patients directly via website posts and phone calls offering to remove their data if the patient paid them.

As DataBreaches reported, Schwartz ignored attempts to acquire further information about the alleged breach and there was no evidence that he reported the incident to the California Attorney General’s Office or the U.S. Department of Health and Human Services. Periodic checks of HHS’s public breach tool found no indication that the incident was reported to HHS’s site for breaches affecting more than 500 patients.

Now CourtWatch, in collaboration with 404 Media, reports that a class action lawsuit has been filed against Schwartz by eight “Doe” patients. The complaint alleges the doctor did not timely notify patients that his practice was allegedly hacked twice by Hunters International.

Hacked Twice

The complaint, which was filed in federal court in the central district of California, alleges that in or about September and October of 2023, Hunters International downloaded 1.1 terabytes of patient data, reflecting almost 250,000 unique files. The private data included, among other things, nude photographs and video of patients taken during the course of treatment, including images with both their faces and private parts visible, and images taken during surgery reflecting their surgical procedures.

That allegation is consistent with what Hunters International (“Hunters”) posted on their leak site and the proof of claims they posted, as DataBreaches reported at the time.

According to the complaint, Schwartz did not notify his patients of the breach at the time or make other required notifications. The plaintiffs allege:

“Approximately six months later, in March of 2024, Dr. Schwartz’s system was hacked a second time. On information and belief, the hackers again gained access to his entire system and all or substantially all patient data,” the complaint alleges. “Once again, however, Dr. Schwartz attempted to sweep the second hack under the rug. He failed to notify his patients as required by federal and state law. He waited to do so until after the hackers posted a public website (the “Hacker Website”), announcing the hack and leaking patients’ names, contact information, and nude photographs, and began contacting his patients directly.”

That last statement is a bit misleading, perhaps, as by November 2023, after the first hack, the threat actors had already posted some nude photos on their leak site.

Listing on Hunters International’s leak site in April 2024. Nude photos of some patients and personal information of Jaime Schwartz, MD redacted by DataBreaches.net. Patients who saw the site saw a message to them saying, “If you find your private data here just email us and we will let you know how to proceed further with actions against this DOCTOR!”

Notifications?

One section of the complaint asserts that defendants were obligated to comply with HIPAA. But although it would seem likely that Schwartz would be a covered entity under HIPAA, there is no evidence on his website that he is. HIPAA covered entities are required to post a HIPAA Privacy Notice on their websites if they have a website. There is no HIPAA notice on Schwartz’s website, and the privacy notice on the site does not mention HIPAA at all.  Nor is there any mention on that site of Schwartz accepting health insurance or billing insurers. If he does not engage in certain electronic transactions, he may not be a HIPAA covered entity, even though he has an NPI number and is a licensed and board-certified plastic surgeon.

But even if it should turn out that Schwartz is not a covered entity under HIPAA, his practice is still subject to California laws and laws of other states that require notification. Yet according to the complaint, not only did Schwartz not notify patients, but when patients called to ask, his staff allegedly minimized the breach, claiming only a few patients were affected.

According to the complaint, in a January 2025 notification to patients, Schwartz writes:

Our office discovered on June 27, 2024, that an unauthorized third party utilized a third-party vendor’s credentials to access the practice’s medical billing and practice management system. Upon discovering the incident, we engaged a specialized third-party forensic incident response firm to conduct a forensic investigation and determine the extent of the compromise. The investigation determined that data was acquired without authorization. After electronic discovery, which concluded on January 2, 2025, it was determined that some of your personal information was present in the impacted data set. We then took steps to notify you of the incident as quickly as possible.

If Schwartz is a HIPAA covered entity, he may find himself in hot water with HHS over these alleged incidents, apart from any civil litigation by plaintiffs. He may also find himself in hot water with California.

A search of Schwartz’s discplinary record shows that he received a public reprimand in February 2024 from the Medical Board of California. The record shows the accusation:

From May 2020 through March 2021, you aided and abetted the unlicensed practice of medicine and violated the ban on the corporate practice of medicine by engaging in a contractual relationship with a lay corporation (Orange Twist, LLC) that directly or indirectly controlled your medical practice at multiple Orange Twist med spa clinic locations throughout California, as more fully described in Accusation No. 800-2021-081344.

The accusation had been filed in February 2023. Schwartz agreed to a stipulated settlement and disciplinary order that required him to pay the board $221,924.75 for the costs of its investigation and enforcement action, to take an education course of his choosing, and a professionalism (ethics) course. No other charges seem to have been filed against him as of publication. Whether his patients may file charges against him with the medical board — or if they already have but it has not yet been made public — remains to be seen.

Schwartz was asked via his site’s contact form if he had any comment on the lawsuit. No reply was immediately available, but this post will be updated if he issues a statement.

Lawsuits against other plastic surgeons have yet to be resolved, but a lawsuit against Lehigh Valley Health Network that included the leak of nude patient photos by threat actors was recently settled for $65 million.

 

Related posts:

  • Another plastic surgery practice appears to have been hit — this time by Hunters International (5)
  • Breach notifications needed to be made faster in 2024. Instead, they were made more slowly.
  • Two California plastic surgery practices suffer cyberattacks and embarrassing patient data leaks
  • Proposed $65 million Lehigh Valley Health Network data breach settlement may compensate some victims $80,000
Category: HackHealth Data

Post navigation

← BlackBasta Ransomware Chatlogs Leaked Online
No need to hack when it’s leaking, Monday edition: TeammateApp →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.