Another plastic surgery practice has revealed that it was the victim of a cyberattack with an extortion demand. SSK Plastic Surgery in California recently notified the California Attorney General’s Office of an incident. The state’s website indicates that SSK Plastic Surgery reported that the breach occurred on March 20, 2024 and was discovered or ended on July 24, 2024.
SSK’s notification to patients and those affected does not reveal the date of the breach nor the date of discovery. From their letter:
Recently, SSK Plastic Surgery discovered that an unknown intruder gained access to some client information and attempted to extort SSK. We immediately notified law enforcement, moved quickly to contain the incident, and engaged cybersecurity experts to conduct a thorough investigation, taking steps to ensure the protection of your personal information. We believe it is likely the intruder only wanted money and not the information on our computers but, in an abundance of caution, we are letting you know that some of your personal information may have been accessed by the intruder.
They may well be right in their assessment of the attacker’s motivation, but how much data, if any, did the attacker exfiltrate and has any of it been leaked? The notification is silent on that and doesn’t clarify exactly what it means by “a limited number of documents” that it mentions in the substitute notice on its website:
On January 13, 2025, our investigation revealed that the unknown intruder accessed a limited number of documents which may have contained your name, address, telephone number, email address, and limited health information, to include images, if provided to us, for virtual consultation services. There were also a very limited number of Social Security numbers and driver’s licenses provided to us.
As of publication, this incident has not shown up on HHS’s public breach tool for incidents involving more than 500 patients, and no group has publicly claimed responsiblity for the attack.
Noting that the incident occurred in March, 2024 — the same month that another plastic surgery practice in California owned by Jaime S. Schwartz, M.D. was also hit — DataBreaches reached out to the threat actors who claim to be responsible for the Jaime Schwartz, M.D. attack to ask them if the SSK incident was also their doing.
DataBreaches is aware of at least three attacks on plastic surgery practices the threat actors in question have claimed responsibility for and have provided proof of claims for. Although these threat actors have been responsive to questions from DataBreaches about the three other attacks, when asked if they were also responsible for SSK Plastic Surgery, their response was “No comment.” That is the first and only time they have responded “No comment.”
DataBreaches emailed Dr. Sean Kelishadi of SSK Plastic Surgery yesterday to request details about the incident, including whether data had been exfiltrated as well as accessed, and if any data with protected health information has been leaked. DataBreaches also inquired how the threat actors signed their extortion demand and inquired about a specific email address.
No reply from SSK Plastic Surgery has been received by publication.