On March 8, DataBreaches learned of another attack on a plastic surgery group. This time, it was the Long Island Plastic Surgical Group, a group that has 10 locations in New York and dozens of doctors. This is another ransomware story that may have a very unhappy ending for patients and employees.
Hit by Two Groups
The attack on LIPSG reportedly began as a collaborative effort between two groups — AlphV and a group now known to DataBreaches as Radar. AlphV was responsible for locking the files and Radar was responsible for exfiltrating data. The split was supposed to be 50/50, according to the representative for Radar, with AlphV reportedly doing the negotiating for the two teams, and someone alleged to be Dr. Glickman from LIPSG doing the negotiating for LIPSG.
According to Radar’s representative, their negotiator dropped the ransom demand down to $1 million because Dr. Glickman (or whoever claimed to be him) allegedly told the negotiator that they had no money and the FBI was blocking their insurance payments. That was not particularly credible, but Radar claims that AlphV managed to get Dr. Glickman to pay them $500,000 for a decryptor key, took the money, and then was never heard from again. Radar repeatedly tried to get LIPSG to negotiate with them to delete all the data they still hold, but LIPSG did not respond other than Dr. Glickman supposedly telling them that he was “not interested.”
So on March 8, Radar sent another email to LIPSG cc:d to others, including DataBreaches. Their email reminded the recipients that they had acquired about 700 GB of internal documents, employee records, and patient records, and they threatened to do as much damage as possible to LIPSG business.
In subsequent direct communications, Radar provided DataBreaches with a sample of data that included internal documents, employee information, and patient records. Radar also gave DataBreaches access to the larger tranche to review. After inspecting the data, DataBreaches reached out to LIPSG via their website contact form. No reply was received then or to a second inquiry days later. A third attempt included an email sent to the Chief Financial Officer that included his personal information that had been included in the sample. He did not reply. A phone call to the HIPAA Compliance Officer (“Randi”) got through and when she understood what DataBreaches was calling about, she said she could not answer the questions but would have someone call DataBreaches back. No one called back.
With no confirmation from NYPSG/LIPSG, DataBreaches reached out to a few patients. The first two were patients of the same doctor. Neither one had been notified of any breach or concern. The third patient was contacted by email. DataBreaches sent her her information and a copy of a nude photograph of her from 2021 that presumably will be in the full leak with her name attached to it. There has been no reply from her as of publication but the email did not bounce back.
When Will They Ever Learn?
DataBreaches has previously criticized plastic surgery groups that use patient names as filenames for nude photos of patients. DataBreaches even wrote to the American Society of Plastic Surgeons and urged them to issue an alert advising their members to remove patient names as filenames for nude photos of patients. They did not do so. When will HHS, APS, CISA, or the FBI come out and tell plastic surgeons to stop their insecure file naming practice? Or will it be the personal injury lawyers who finally produce change?
Because LIPSG did not respond to multiple requests for them to confirm or deny the threat actors’ claims, DataBreaches reminds readers that there is much that is unconfirmed at this point. Specifically, the Radar affiliate representative claims that LIPSG was attacked on January 7, and NYPSG’s Board of Directors was informed the same day about what happened (NYPSG is a subdivision of LIPSG). If that is true, then perhaps this incident should have been reported to HHS already and patients should have been notified. Finding nothing on LIPSG’s website, getting no response from them, and finding nothing on HHS’s public breach tool, DataBreaches sent an inquiry to the NYS Attorney General’s Office to inquire whether the state has been notified of this incident. This post will be updated when a reply is received.
Radar’s listing gives their victim until March 24 to deal with them. DataBreaches will continue to monitor this situation, but for the time being, is not posting any screenshots of patient data and employee data. Some of the images are so distinct in features and sensitive that it might not be possible to redact them sufficiently to de-identify them.
Update of March 19: Shortly after posting this, DataBreaches received an email from LIPSG offering to answer questions. I have sent them some questions and will update when I get their reply.
Update of March 22: Despite writing, “I can ensure you get a prompt reply,” no reply has been received to the questions sent on March 19.