Another plastic surgeon has become the victim of a cyberattack that involved patient information and photographs.
On October 23, Michael R. Schwartz, MD, FACS, notified the California Attorney General’s Office that, on August 25, they became aware of remote, unauthorized access to one of their computers. Investigators found that an unauthorized party had accessed patient files between January 20 and August 26.
Dr. Schwartz’s notification letter did not disclose the number of patients whose records were accessed, but noted that the types of information for each patient might include names, Social Security numbers (if provided), addresses, email addresses, phone numbers, photographs, and medical record numbers.
In response to the incident, Dr. Schwartz engaged leading cybersecurity experts to investigate and assess the full scope of the incident and to help strengthen their security controls. “We have since replaced all office computers and servers, enhanced our network protections, and implemented additional staff training on data security practices,” he writes.
Dr. Schwartz is also offering those affected complimentary access to Experian IdentityWorksSM for 12 months. Additional resources can be found in the substitute notice on his website.
Was There Any Ransom Demand?
DataBreaches has been reporting on attacks against plastic surgery practices since 2017. Many of the incidents reported by this site involved ransom or extortion demands—some involved leak sites with nude photographs and details of named patients. DataBreaches found two leak sites with nude photographs of patients and medical information that are still online. One is from a 2023 incident, and the other is from a 2024 incident. Class-action lawsuits against the plastic surgery practices involved are still winding their way through the courts.
For a partial chronology of cyberattacks involving plastic surgery practices, see “A Brief Chronology of Cyberattacks on Plastic Surgery Practices.” For details on some of them, search DataBreaches.net.
Dr. Schwartz’s notification letter does not reveal the identity of the attacker(s) or whether there was any ransom or extortion demand.
As of this publication, no group has publicly claimed responsibility for this attack. Although Dr. Schwartz indicates that this incident was reported to HHS, HHS has not updated its public leak site in more than a month.
DataBreaches contacted Dr. Schwartz through his website to ask (1) whether any nude photographs of patients had names attached to them, and (2) whether he had received any ransom or extortion demands. His office did not reply immediately, but this post will be updated if a reply is received.
*NOTE: As far as we know, the plastic surgery practice of Michael R. Schwartz, MD, FACS, in California is unrelated to that of Jaime S. Schwartz, MD, FACS. The latter is also in California and was the victim of two cyberattacks with ransom demands.