Naked Patient Photos Published After Ransomware Attack on Plastic Surgery Clinic
Legal counsel for the Hollywood, CA-based plastic surgeon, Gary Motykie, M.D, recently notified patients about a cyberattack and data theft incident. According to the notification letters, Dr. Gary Motykie was recently contacted by a cyber threat actor who claimed to have accessed his IT systems and was in possession of sensitive patient information.
The notification was received on May 9, 2023, and a third-party incident response firm was engaged to investigate and determine the validity of the threat actor’s claims. A data breach was confirmed on or around June 6, 2023, with the review of the affected files confirming they contained information such as first and last name, address, driver’s license/identification card number, financial account information, payment card number and CVV code, Social Security Number, health insurance information, intake forms, which may include medical information and medical history, and images taken in connection with the services provided. The types of data varied from individual to individual and may have included only some of the above information.
The breach was recently reported to the Maine Attorney General as affecting a total of 3,461 individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to affected individuals and the practice has taken steps to improve data security. The incident has been reported to law enforcement, appropriate authorities, and the American Board of Plastic Surgery, which is also investigating the breach. The threat actor behind the attack was not named.
Attacks that involve the theft of naked images offer threat actors an easy way to increase pressure on the victim to make payment, as was the case with a ransomware attack on Lehigh Valley Health Network earlier this year by the ALPHV/BlackCat ransomware group. ALPHV also conducted a similar attack on another Californian plastic surgery clinic, Beverly Hills Plastic Surgery, according to recent media reports, where naked photographs were also published online when the ransom was not paid. Beverly Hills Plastic Surgery has yet to publicly confirm the data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While not mentioned in the notification letters, Dr. Gary Motykie was allegedly issued with a ransom demand of $2.5 million. When payment was not received, the threat actor started publishing the stolen data, including topless images of patients along with personal information such as names, birthdates, email addresses, phone numbers, and financial information. Patients were contacted by the threat actor via email and links were shared to the Internet site where the stolen information and images were published.
Elaina Shaffy was one of the affected patients and had her photographs published online. She told NBC Los Angeles that she discovered her information had been leaked after being contacted by another patient who was in a similar position. She later discovered she had been emailed by the threat actor but had failed to see the message in her junk folder. She made contact with the threat actor and was informed that a third party had made a payment on her behalf and that her information and photographs had been removed. She has since filed a lawsuit against Dr. Gary Motykie over the theft of her information.
At least 70 individuals have had their photographs and personal information published online following the attack. Private images of Dr. Gary Motykie were also published online. Dr. Gary Motykie reportedly did not pay the ransom as there was no guarantee that the stolen data would be deleted.
