161K-Record Data Breach Reported by Long Island Plastic Surgical Group
New York-based Long Island Plastic Surgical Group reported a hacking incident to the HHS’ Office for Civil Rights at the beginning of this year. The incident affected the protected health information (PHI) of 161,707 people, who may be patients from the 13 plastic surgery centers under the Long Island Plastic Surgical Group.
The group published a substitute breach notice mentioning that external cybersecurity experts investigated the incident and confirmed the network attack from January 4, 2024 to January 8, 2024. A limited amount of patient information was exfiltrated from its network. The file analysis was done on September 15, 2024, and confirmed the theft of full names along with a few or all of these data elements: birth date, Social Security number, passport number, driver’s license number/state ID number, financial account details, medical data, biometric data, medical insurance policy data, and clinical images.
Long Island Plastic Surgical Group stated it did not receive any information on improper use of breached data resulting from the incident; nevertheless, as a safety measure, people who had their Social Security numbers involved were provided free credit monitoring services. According to Long Island Plastic Surgical Group, many safety measures for patient data protection have been implemented. Internal controls will still be evaluated and modified to further improve protection.
Long Island Plastic Surgical Group’s notification letter did not say if the incident was due to a ransomware attack. Nevertheless, the Radar threat group said that it was responsible for the attack. A member of the Radar threat group claimed it executed the attack together with the ALPHV threat group. ALPHV was in charge of the intrusion while Radar handled the data extraction. Radar mentioned that ALPHV got the ransom payment but ALPHV did not pay their cut of the ransom. Radar then made its own ransom demand to keep them from exposing the stolen information; then again, Radar did not get any ransom payment. Recent news stated that the Federal Bureau of Investigation (FBI) had taken over the Radar data leak site.