Plastic Surgery, a practice based in California, recently confirmed that it fell victim to a cyberattack involving extortion. The incident was reported to the California Attorney General’s Office and occurred between March 20, 2024, and July 24, 2024. However, specific details such as the exact date of the breach and its discovery remain unclear in the notification sent to patients. The practice’s letter informed those affected that an unknown intruder gained access to certain client information and attempted to extort the business. In response, SSK engaged law enforcement and cybersecurity experts to contain the attack and protect patient data.
In their notification, SSK stated that the intruder likely sought money rather than sensitive data, but they advised patients that their personal information could have been compromised.
The letter mentioned that a “limited number of documents” may have been accessed, but it didn’t clarify the scope of the breach or whether any data had been exfiltrated or leaked. The substitute notice on SSK’s website provided more information, revealing that the attacker accessed personal details, including names, addresses, phone numbers, email addresses, and limited health information such as images from virtual consultations. There were also a small number of Social Security numbers and driver’s licenses exposed.
As of now, the breach has not appeared in the Department of Health and Human Services’ (HHS) public breach tool, which tracks incidents involving more than 500 patients.
Additionally, no group has publicly taken responsibility for the attack. The timing of this breach coincides with another cyberattack on a plastic surgery practice in California, owned by Dr. Jaime S. Schwartz, which has raised questions about potential links between the incidents.
DataBreaches also contacted Dr. Sean Kelishadi of SSK Plastic Surgery for further details regarding the incident. Specifically, they sought clarification on whether any data had been exfiltrated or leaked, particularly information protected by health privacy laws. They also inquired about the extortion demand and any potential links between the attackers and previous incidents in the plastic surgery sector. While SSK’s investigation continues, the full impact of this breach remains uncertain, leaving patients and the public waiting for more details on the scope and severity of the attack.
Reference:
