From the We-Wish-This-Was-An-April-Fools-Joke-But-It’s-Not department:
It appears that another plastic surgery entity has fallen prey to a cyberattack, and once again, a lot of sensitive patient data has been leaked.
Paul Vitenas, Jr., M.D., F.A.C.S. is the founder of Vitenas Cosmetic Surgery, Mirror Mirror Beauty Boutique, and the Houston Surgery Center in Texas.
On March 5, the threat actor(s) known as Kairos listed Dr. Vitenas’s site on their darkweb leak site with proof of claims that they thoughtfully redacted. But when they subsequently leaked what they claimed is 1.34 GB of files, none of it was redacted.
DataBreaches explored the data leak enough to confirm that there was a lot of unencrypted protected health information that included nude photos of recognizable patients. In addition to patient data from the past few years, there were also a number of internal documents about employees and other routine business operations.
In fact, DataBreaches had not been aware of the incident until someone posted about it on a Russian-language forum on Monday. A machine translation of what they wrote began:
After the hack of a plastic surgery clinic in Houston, a lot of information about patients was left in the format name, DOB, phone, e-mail, address, SSN, photo DL (front/back). All questionnaires are fresh (mostly visited the clinic in 2024 or 2025).
The poster appeared to be trying to determine if there was any interest in purchasing the data. DataBreaches reached out to them on Tox and learned that they were part of Kairos.
Not finding any notice or alert on the medical entity’s website, DataBreaches contacted Dr. Vitenas’s office via their “live chat” on Monday to inquire about the breach. There was no “live” response to the actual questions this site posed, but they responded that DataBreaches would receive an answer by text or phone. As of publication, neither has happened.
DataBreaches also emailed Kairos to ask them some questions about the incident and whether the poster on the forum was connected to them. They responded by telling DataBreaches that they obtained access via a simple brute force attack in February, and that the IT department “knew for sure” that there was a hack. “They discovered the hack after we sent them messages on their network, and then access was lost,” they tell DataBreaches.
Kairos also states that negotiations with Dr. Vitenas had been going on for about a month.
We were sure to the last minute that Dr. Vitenas would protect his clients’ data and keep it off the darknet. Most likely he is more interested in his money than naked photos and other personal information of his clients. We still haven’t posted the most sensitive information. If we don’t find a buyer soon, we will make it public.
As of publication, there is no incident report on HHS’s public breach tool.
This post was updated post-publication to include responses from Kairos.