On October 17, the FBI issued a Public Service Announcement, Cybercriminals are Targeting Plastic Surgery Offices and Patients. Five days later, DataBreaches learned that there had been another attack on a plastic surgery practice where patient data had allegedly been stolen and is in danger of being leaked publicly. It would not be surprising if the FBI knew about the attack and that it was the impetus for the newly released PSA.
This newest incident appears to involve patients of Jaime S. Schwartz, M.D., a plastic surgeon with offices in Beverly Hills and Dubai. The attack was claimed by Hunters International, a relatively new group (or re-branding of an older group, see below). “Patients of Mr.Schwartz’s clinics are top management of various organizations, bloggers, businessmen, influencers and other “not ordinary” individuals. Mr.Schwartz charges $500 for the initial appointment,” the threat actors write in their leak site listing on the dark web.
The listing includes four photos, allegedly from the physician’s patients. One of the images shows a nude patient with their face visible. The other images show partially unclothed bodies, but no faces or identifiable tattoos.
The listing claims that Hunters International acquired 1.1 TB of data consisting of 248,245 files.
DataBreaches reached out to Dr. Schwartz’s office via its website contact form to ask about the claimed breach, but no reply has been received by publication. DataBreaches is therefore treating this as an unconfirmed claim at this point.
DataBreaches also reached out to Hunters International to ask them for more details after they updated the listing to indicate that they were preparing to start emailing the doctor’s patients, but no reply has been received by publication.
Plastic Surgery Offices are Attractive Targets
Attacks on plastic surgery offices are not new in 2023, but threat actors have become more aggressive in revealing sensitive information of patients in 2023 and attempting to extort patients directly. So what have HHS, the American Society of Plastic Surgeons, and law enforcement done to warn plastic surgeons and to give them specific advice about avoiding having identifiable patient photos at risk?
See a brief chronology of some malware and/or extortion incidents affecting plastic surgery patients
In July, DataBreaches emailed the American Society of Plastic Surgeons to ask them what they were advising surgeons in light of all the attacks this year. DataBreaches asked:
Has ASPS ever sent out any notice or guidance to members about storing nude photos of identifiable patients on their servers? I know many surgeons use galleries to promote their work and the screenshots show only a portion of the patient, but they are often uploading complete pictures or files with the patients’ names that they then crop for display.
Have they been cautioned not to do that? And if so, can you email me a copy of the caution and its date?
An association spokesperson responded:
HIPAA compliance is vital for any physician practice and patient photography is considered Protected Health Information (PHI). For its members, American Society of Plastic Surgeons provides online resources, articles in our newsletter and several other conduits on an ongoing basis.
So the American Society of Plastic Surgeons didn’t answer the question, but it appears that on July 6, they posted something on their site about a ransomware scam targeting plastic surgeons. The advisory focused on email and phone attempts to gain access to networks by threat actors posing as ABPS Board Office employees. Nothing in the advisory suggested that members do anything different about storing identifiable patient photos on their servers.
On October 19, American Society of Plastic Surgeons reposted the FBI’s PSA on its site. The FBI’s PSA had offered these tips for plastic surgery practices and the public:
- Review profile settings in your social media accounts to strengthen privacy. Preferably, make your account private and limit what can be posted by others on your profile. Audit friend lists to ensure they consist of and are visible to people you know. Only accept friend requests and follows from people you know. Enable two-factor authentication to login.
- Secure accounts (e-mail, social media, financial, bill pay) by creating unique and complex passwords for login; consider using a password manager to help you remember them.
- Monitor bank accounts and credit reports for any suspicious activity; consider placing a fraud alert or security freeze on your credit reports to prevent unauthorized access.
Nowhere does the FBI address the risks of storing nude patient photos with patients’ names and medical records linked. Nor does the American Society of Plastic Surgeons post of October 19 add anything about the nightmare breaches and leaks of nude patient photos and details we have witnessed this year.
Why is this major and avoidable risk being ignored in advisories that supposedly address plastic surgery practices?
What if every threat actor does what the threat actors who breached Hankins & Sohn Plastic Surgery Associates did — not only create a leak site with patient nude photos, names, email addresses, phone numbers, and medical records and have Google index it all so that any search of a person’s name will return a nude picture of them and all their sensitive information?
As of October 17, the same day the FBI issued its PSA, the threat actors responsible for the Hankins and Sohn leak site posted yet another update to their leak site:
On October 17th this website turns 3 months old. Mr. Hankins and Mr. Sohn continue to ignore the situation, we suppose they’re listening to some “experts” and other “specialists” opinions. It must be taken into account that it’s a huge number of clients and inevitably winnable cases for lawyers, so they will surely be advising not to engage into a dialogue with us.This way they provoke us to post more clients on the website. Profit. Regarding the “cyberexperts” – no comments. Their advices and opinions were needed to prevent the incident, not now when they only worsen the situation. The situation with the website is something new, and it must be taken into account that after all lawsuits, the clients can demand to take down the website. It’s their right.
It’s only possible to take down the website and to delete all data on our end by negotiating with us. In the coming weeks we’re planning on updating the website, we’ll add about 250 new clients.
Unsurprisingly, there has been litigation filed against the plastic surgery practice. In a case consolidated in the litigation, one plaintiff alleges that the defendants’ electronic files, including PII, PHI, and sensitive photographs were disseminated to a large number of her co-workers, employer, and others.
The Hankins and Sohn incident is a nightmare for patients, as was the Gary Motykie, MD incident and other incidents noted in the chronology file.
So what regulators or state attorneys general are cracking down on privacy and data security laws that apply to plastic surgeons? Are any? What are HHS, the FTC, and state attorneys general doing?
A Note (and Some Speculation) About Hunters International
Hunters International appears to be a new group, but there has already been speculation that they may be a re-branding of the Hive ransomware gang whose infrastructure was taken down by the FBI in January after months of the FBI living in their network and giving out free decryptors to some of their victims.
A connection between Hunters International and Hive stems from overlap in the coding of the two groups’ ransomware, as noted this week by @rivitna2 on X (formerly Twitter).
Apart from the coding, DataBreaches had other reasons to suspect the overlap or re-branding. Beginning a few months ago, DataBreaches started occasionally receiving emails about victims listed on AlphV’s leak site. The writing in the emails to the victims, copies of which were shared with DataBreaches, and the writing of the spokesperson to DataBreaches in response to questions by this site was strikingly similar to writings sent to this site by Hive in the past.
But assuming (for now) that there is a connection, is Hunters International an affiliate of AlphV or a subgroup or…? Some of the emails to DataBreaches come from Hunters International but use the same email account as other emails that come from “alpha team.” The email address incorporates the name of one of the victims that appeared on AlphV’s leak site in recent months. Hopefully, Hunters International will clarify for DataBreaches what their relationship to AlphV is. If they do respond, this post will be updated. If this site disappears, then maybe I shouldn’t have asked them. 🙂
Updates of October 23. Hunters International responded to my email inquiries. They commented that they breached Dr. Schwartz’s network a month ago. “We downloaded all data from their file server. As a result over 1TB of data includes patients photoshots before and after surgeries, through-year visits, videos of surgeries and other sensitive data were stolen.” Their network had “very weak security,” they stated.
In response to my inquiry about Hive or any connection, they answered,”No we are not hive. we are affilates. we work with many teams.”
This post was also corrected to remove an erroneous statement about encryption. Hunters International informs DataBreaches that they did encrypt Dr. Schwartz’s files and have no policy about encrypting medical entities.
Update of October 24: Hunters International subsequently added a post to their leak site, further denying that they are Hive re-branded:
Updated November 11: Hunters International re-listed the Jaime Schwartz plastic surgery listing this week. They started listing some patient data with a note:
Seems like you don’t want to protect your data at all. More than 30 days had passed already since your network has been breached. You have been provided with everything you have asked about: sample of files, decryption tool demonstration, filetree, personal details. But you keep begging for proofs. This is not the way we going to make business with you. Maybe you will do us a favor and transfer half of the money to prove that you can pay for your data? That would be fair, we guess. Nevertheless, we will start deploying a little piece of your data everyweek, until all of your data will be shared this way. Starting today. You still have an option to pay for your data, until sharing is finished. But we will not provide you with samples, decryptions, whatever-you-want-to-see.files. After uploading is finished you will be on your own. Game is over, ask your federal agent to help you with breach notification report.
Dr. Schwartz has not responded to any inquiries submitted by this site since the threat actors first announced their attack and at last check, there is no notice or alert on his website about any breach. Given that personally identifiable information and protected health information are already being leaked, DataBreaches hopes he is alerting patients to take steps to protect themselves.
Updated December 1: The Schwartz listing was subsequently removed again from Hunters’ leak site, but on November 30, it reappeared with some nude photos of patients and a note to patients, “If you find your private data here just email us and we will let you know how to proceed further with actions against this DOCTOR! ” As of today, there are three days left on a countdown clock until more patient data will presumably be leaked. Dr. Schwartz has not responded to multiple requests for a statement about this incident.