FBI: Plastic Surgery Offices Targeted by Extortion Groups
U.S. plastic surgery offices are being targeted by cybercriminal groups that gain access to their networks, steal data, and attempt to extort the practices and their patients, according to a recent public service announcement from the U.S. Federal Bureau of Investigation (FBI).
There have been several attacks on plastic surgery providers in recent months. While ransomware may be used in these attacks, the primary purpose of the attacks is to steal sensitive patient data, which can include medical records and sensitive pre- and post-surgery photographs. Plastic surgery centers are issued with a ransom demand, payment of which is required to prevent the release of the stolen data. In some cases, sensitive patient data and images have been released online, and the threat actors have attempted to extort the patients directly. One attack on the Hollywood, CA-based plastic surgeon, Gary Motykie, M.D. in May 2023, required payment of a $2.5 million ransom to prevent the release of the stolen data. Some of the practice’s patients were contacted directly and told to pay to have their sensitive information unpublished.
According to the FBI, the threat actors use technology to hide their true phone numbers and email addresses and use phishing emails to distribute malware. The malware provides access to internal protected computers, allowing them to harvest sensitive data, including photographs. The threat actors have been observed enhancing the stolen data with information gathered from social media platforms, and have also used social engineering techniques to enhance the harvested ePHI data of plastic surgery patients. The enhanced data is used as leverage for extortion and for other fraud schemes. The threat actors contact plastic surgery surgeons and their patients via the telephone, email, SMS messages, and social media platforms. Sensitive ePHI is also shared with the patients’ friends, family, colleagues, and contacts, and public-facing websites are created to share the stolen data.
The FBI has shared tips on how to improve security and reduce the risk of falling victim to these attacks. These measures include reviewing the privacy settings of social media accounts and ideally making accounts private to limit what others can see and what can be posted by others on profiles. Care should be taken accepting friend requests, and audits should be conducted of friends to ensure they are all known individuals. Accounts should be configured to make friend lists visible only to known individuals. Strong, unique passwords and MFA should also be used for all accounts, especially email, financial, and social media accounts. A password manager is recommended for generating strong, unique passwords for accounts and storing them securely. Bank accounts and credit reports should also be routinely checked for suspicious activity.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While not mentioned in the announcement, plastic surgery offices should ensure that they follow cybersecurity best practices such as setting strong passwords and enabling multifactor authentication, and they should deploy endpoint detection solutions and robust anti-phishing controls.