The FBI issued an alert in mid October warning the public that cybercriminals are targeting plastic surgery offices to harvest patients’ personally identifiable information and sensitive medical records, including photos. The criminals then enhance this data and extort individuals for cryptocurrency.
According to the FBI, the scammers use technology to disguise their phone numbers and email addresses and then deploy malware to plastic surgery offices. After hacking into a system, the cyberthieves harvest electronically protected health information (ePHI).
During the second phase of their scam, cybercriminals enhance the data they’ve harvested for extortions by using public information they find online as well as social engineering techniques (efforts designed to trick people into divulging confidential information).
During Phase 3 — the extortion phase — cybercriminals contact the plastic surgeons and their patients through social media accounts, emails, text messages and messaging apps, and ask for payment to prevent sharing their electronically protected health information. To step up the pressure, cybercriminals have shared sensitive information with victims’ friends, family and colleagues. They’ve also created public-facing websites using the data. The criminals tell victims they’ll remove and stop sharing their information only if they make the extortion payments.
Naked photos circulated
An article published this summer in the HIPAA Journal discussed breaches impacting several plastic surgery offices in California and Pennsylvania. One of the plastic surgeons was allegedly issued a ransom demand of $2.5 million. When payment was not received, the cybercriminals started publishing naked images of the surgeon’s patients with personal info. At least one patient filed a lawsuit against her surgeon.
The recent FBI alert included these suggestions for individuals:
Review profile settings in your social media accounts to strengthen privacy. Preferably, make your account private and limit what can be posted by others on your profile. Audit friend lists to ensure they consist of and are visible to people you know. Only accept friend requests and follows from people you know. Enable two-factor authentication to login.
Secure accounts (e-mail, social media, financial, bill pay) by creating unique and complex passwords for login; consider using a password manager to help you remember them.
Monitor bank accounts and credit reports for any suspicious activity; consider placing a fraud alert or security freeze on your credit reports to prevent unauthorized access.
Reporting fraud
The FBI requests that victims report fraudulent or suspicious activities to its Internet Crime Complaint Center (IC3) and to include as much information as possible including:
The name of the person who contacted you.
Method of communication used, to include websites, emails, and telephone numbers.
The wallet address(es) or bank account number(s) for extortion payments and recipient name(s), if provided.
