Earlier this week, DataBreaches reported that two plastic surgery practices in California had both suffered cyberattacks. When the doctors did not pay ransom demands, attackers leaked nude patient pictures and patient info. One attack was by AlphV (BlackCat) on Beverly Hills Plastic Surgery. The other attack was by an unnamed group or individual on Gary Motykie, MD. The style of the leak site and contact methods for the Motykie leak site were not familiar to DataBreaches, and a spokesperson for AlphV told DataBreaches that they were not responsible for the Motykie attack or leak site.
Neither practice has suffered a leak of all of their patient data as yet, but both leaks included some sexually explicit photos and in the second case, some videos of the plastic surgeon engaged in activities that are not the kind of private videos one would \want on the internet or viewed by potential patients. Whether those videos were on the same system with patient photos or if the attacker gained access to a personal server is unknown to DataBreaches, but the bad actor(s) also prominently posted private videos involving the surgeon’s brother and his girlfriend, raising questions as to whether there was possibly a personal motive for the leak site and not just a financial one.
And Then There Were Three
After DataBreaches published that article, people claiming responsibility for the Motykie leak site reached out to DataBreaches and pointed DataBreaches to yet another leak site involving plastic surgery patients’ nude photos.
DataBreaches had already been aware that Hankins & Sohn Plastic Surgery Associates in Nevada had reported a breach in April to the Vermont Attorney General’s Office. It hadn’t been reported on this site yet because we hoped to get more details first. What was known, however, was that the doctors claimed they discovered an incident on February 23 that affected patients’ protected health information. Their April notification letter did not state that there had been any ransom demand. It does, however, state that their investigation had been unable to determine whose data may have been accessed or acquired so they were notifying all past and current patients and consults who had information in their systems.
There has been no report of the Hankins & Sohn incident on HHS’s public breach tool, so we do not yet know how many patients and consults they have been notifying or will be notifying. But according to the leak site for the medical practice, “everything from Hankins and Sohn plastic surgery clinic’s network (documents, pre op and post op photos of more than 10000 patients)” had been obtained in the attack and those responsible had told the doctors that on February 23.
When Drs. Hankins and Sohn allegedly ignored them, “we started to send some patients photos to their familiar people,” they write, adding, “Right after that Hankins and Sohn started negotiations but they just dragged on time and cheated. So now we announce this website. We will publish Hankins And Sohn’s patients data and photos here.”
Unlike the leak site for Dr. Motykie’s patients, this one has no personal or sexually explicit photos or videos prominently displayed– but like the first leak site, it also shows patients’ faces, names, date of birth, phone number, and email addresses. And like the Motykie leak site, clicking on an image takes you to an individual webpage for the named patient with an archive of all their unredacted photos and medical documentation records.
The leak site appears to have first been registered on July 17, even though some of the photos on it are stamped with an update date of July 12.
Those responsible for the leak site indicated that they would be sending DataBreaches a reply with answers to some of the questions this site had posed to them, but the reply has not been received yet. The one detail or claim that they have already made that is not on their leak site for Dr. Motykie is that he did not disclose all the consults he has done that also have patient photos involved. They have provided no proof of that claim to DataBreaches as yet.
Drs. Hankins and Sohn have not replied to either of the inquiries sent via their site contact form yesterday and today. DataBreaches also reached out to a small sample of patients yesterday and today to ask whether they had been notified that their personal information and nude photos had been leaked on the internet. None of the patients have replied. So while the data appear real, neither the doctors nor any of the patients contacted have actually confirmed that the Hankins and Sohn-related leak site has real patient data.
There’s a lot that remains unknown about these incidents. Hopefully, we will get more information and answers soon.