DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Another plastic surgery group has fallen victim to a ransomware attack – Long Island Plastic Surgical Group/NYSPG (2)

Posted on March 19, 2024 by Dissent

On March 8, DataBreaches learned of another attack on a plastic surgery group. This time, it was the Long Island Plastic Surgical Group, a group that has 10 locations in New York and dozens of doctors. This is another ransomware story that may have a very unhappy ending for patients and employees.

Hit by Two Groups

The attack on LIPSG reportedly began as a collaborative effort between two groups — AlphV and a group now known to DataBreaches as Radar.  AlphV was responsible for locking the files and Radar was responsible for exfiltrating data. The split was supposed to be 50/50, according to the representative for Radar, with AlphV reportedly doing the negotiating for the two teams, and someone alleged to be Dr. Glickman from LIPSG doing the negotiating for LIPSG.

According to Radar’s representative,  their negotiator dropped the ransom demand down to $1 million because Dr. Glickman (or whoever claimed to be him) allegedly told the negotiator that they had no money and the FBI was blocking their insurance payments. That was not particularly credible, but Radar claims that AlphV managed to get Dr. Glickman to pay them $500,000 for a decryptor key, took the money, and then was never heard from again. Radar repeatedly tried to get LIPSG to negotiate with them to delete all the data they still hold, but LIPSG did not respond other than Dr. Glickman supposedly telling them that he was “not interested.”

So on March 8, Radar sent another email to LIPSG cc:d to others, including DataBreaches. Their email reminded the recipients that they had acquired about 700 GB of internal documents, employee records, and patient records, and they threatened to do as much damage as possible to LIPSG business.

In subsequent direct communications, Radar provided DataBreaches with a sample of data that included internal documents, employee information, and patient records.  Radar also gave DataBreaches access to the larger tranche to review.  After inspecting the data, DataBreaches reached out to LIPSG via their website contact form. No reply was received then or to a second inquiry days later.  A third attempt included an email sent to the Chief Financial Officer that included his personal information that had been included in the sample. He did not reply. A phone call to the HIPAA Compliance Officer (“Randi”) got through and when she understood what DataBreaches was calling about, she said she could not answer the questions but would have someone call DataBreaches back. No one called back.

A listing posted on clearnet site on March 13 gave LIPSG until March 24 to respond. Image:  DataBreaches.net

With no confirmation from NYPSG/LIPSG, DataBreaches reached out to a few patients. The first two were patients of the same doctor. Neither one had been notified of any breach or concern. The third patient was contacted by email. DataBreaches sent her her information and a copy of a nude photograph of her from 2021 that presumably will be in the full leak with her name attached to it.  There has been no reply from her as of publication but the email did not bounce back.

When Will They Ever Learn?

DataBreaches has previously criticized plastic surgery groups that use patient names as filenames for nude photos of patients. DataBreaches even wrote to the American Society of Plastic Surgeons and urged them to issue an alert advising their members to remove patient names as filenames for nude photos of patients. They did not do so. When will HHS, APS, CISA, or the FBI come out and tell plastic surgeons to stop their insecure file naming practice? Or will it be the personal injury lawyers who finally produce change?

Because LIPSG did not respond to multiple requests for them to confirm or deny the threat actors’ claims, DataBreaches reminds readers that there is much that is unconfirmed at this point. Specifically, the Radar affiliate representative claims that LIPSG was attacked on January 7, and NYPSG’s Board of Directors was informed the same day about what happened (NYPSG is a subdivision of LIPSG).  If that is true, then perhaps this incident should have been reported to HHS already and patients should have been notified. Finding nothing on LIPSG’s website, getting no response from them, and finding nothing on HHS’s public breach tool, DataBreaches sent an inquiry to the NYS Attorney General’s Office to inquire whether the state has been notified of this incident. This post will be updated when a reply is received.

Radar’s listing gives their victim until March 24 to deal with them. DataBreaches will continue to monitor this situation, but for the time being, is not posting any screenshots of patient data and employee data. Some of the images are so distinct in features and sensitive that it might not be possible to redact them sufficiently to de-identify them.

Update of March 19:  Shortly after posting this, DataBreaches received an email from LIPSG offering to answer questions. I have sent them some questions and will update when I get their reply.

Update of March 22: Despite writing, “I can ensure you get a prompt reply,” no reply has been received to the questions sent on March 19. 

Related posts:

  • Another plastic surgery practice appears to have been hit — this time by Hunters International (5)
  • RADAR and DISPOSSESSOR shift to R-a-a-S model
  • Two California plastic surgery practices suffer cyberattacks and embarrassing patient data leaks
  • When you don’t know why you are being notified of a breach, Tuesday edition (2)
Category: BlogCommentaries and AnalysesHealth DataMalwareU.S.

Post navigation

← “Lifelock” pleads guilty to hacking and fraud charges
Public notice of break-in at Whitehorse Victim Services office →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.