The Federal Bureau of Investigation (FBI) warns that cybercriminals are targeting plastic surgery offices and stealing sensitive information, including medical records, in a multi-stage cyber extortion campaign.
The gangs collect personally identifiable information and electronically protected health information (ePHI), which includes sensitive photographs. They then enhance the data with publicly available information and threaten to leak it to the public unless a ransom is paid.
Multi-stage cyber extortion campaign targets plastic surgery offices and patients
The cybercriminals begin their cyber extortion campaign by spoofing their phone numbers and email addresses to deploy info-stealing malware via phishing.
The second stage involves collecting open-source information about plastic surgery patients from social media or via social engineering techniques.
Lastly, they contact the plastic surgeons and their patients via social media accounts, emails, text messages, or messaging apps and demand payment to stop sharing the sensitive information.
To coerce the victims into paying the ransom, they share sensitive ePHI information with their friends, family, or colleagues and create publicly accessible websites with the stolen data.
“Cybercriminals tell victims they will remove and stop sharing their ePHI only if an extortion payment is made,” noted the FBI.
The FBI also noted that the attackers might use the extracted information for other nefarious activities, such as fraud.
While the cyber extortion campaign has only recently gained the FBI’s attention, cybercriminals have previously targeted plastic surgery facilities.
Plastic surgery facilities targeted in the past
In 2017, a group of hackers compromised a Lithuanian plastic surgery clinic, Grozio Chirurgija, and stole personal information and intimate pictures. Subsequently, they demanded ransom ranging from $50 to $2,000 from victims across 60 countries. Additionally, they attempted to sell the entire database for 300 bitcoins and, later, 50 bitcoins. When their cyber extortion scheme failed, they published over 25,000 sensitive images, including patients’ nude photos. The cybercriminals have also targeted plastic surgery providers in the United Kingdom and Brazil.
Several plastic surgery clinics in the United States have also experienced patient data breaches. On August 30, 2023, California’s Beverly Hills Plastic Surgery reported a data breach attributed to BlackCat/ALPHV ransomware that leaked personal and medical information.
Similarly, Gary Motykie, M.D., a Medical Corporation, reported a cyber incident that potentially leaked the personal information, including Social Security Numbers, driver’s licenses, and medical images of 3,500 individuals. The threat actors reportedly demanded $2.5 million to avoid publishing the stolen information online.
In February 2023, Plastic Surgery Associates of South Dakota suffered a ransomware attack that leaked data of 10,200 patients, including Social Security, ID numbers, diagnoses, and lab results.
Nevertheless, cyber extortion incidents targeting plastic surgery providers are few and far between, according to the American Society of Plastic Surgeons.
However, their explicit nature and the type of clientele they target make them a lucrative cyber extortion scheme deserving of law enforcement’s attention.
“This is particularly nasty, especially since plastic surgery tends to be a very personal type of procedure,” noted Erich Kron, a Security Awareness Advocate at KnowBe4. “Whether it’s simply cosmetic for the sake of appearance or more functional due to recovery from a significant illness or accident, the threat to expose the procedural information, especially photos, could cause serious embarrassment for the patients.”
Describing the cybercriminals as a “disgusting group of individuals,” Kron noted that they “know what they are doing and yet do not care at all about the impact this has on the individuals.”
He also warned that plastic surgery facilities could face significant legal consequences for leaking sensitive patient information.
“These facilities need to ensure that their employees are trained to spot and report social engineering attacks, including email phishing, text message attacks, and even potentially phone calls that are designed to gain network access,” Kron said.
The whole healthcare industry is, traditionally, a lucrative target for cyber-attacks, given the vast amount of sensitive patient data collected.
“Unfortunately, their infrastructure remains weaker and less cohesive than that of other industries,” said Shawn Surber, a Senior Director of Technical Account Management at Tanium. “Add to that the accelerating mergers and acquisitions process in order to keep health systems afloat, and it’s become the perfect hunting ground for malicious attackers.”
Additionally, most plastic surgery customers are wealthy individuals with huge disposable incomes, making them lucrative targets.
“Targeting plastic surgeons and their patients makes a lot of financial sense,” explained Surber. “Plastic surgery is a lucrative and largely pay upfront business.”
Protecting plastic surgery facilities and customers from cyber extortion
The FBI advised plastic surgery facilities and customers to review their social media account settings and audit friendships to enhance privacy.
“Preferably, make your account private and limit what can be posted by others on your profile. Audit friend lists to ensure they consist of and are visible to people you know,” advised the FBI.
Additionally, they should secure their financial, email, and social media accounts with unique and complex passwords and enable two-factor authentication.
Lastly, they should monitor bank accounts and credit reports for suspicious activity and report fraud or freeze their credit report to prevent fraud.
