Cyberattack at Long Island plastic surgery practice compromised data of  161,707 patients

A plastic surgery practice headquartered in Garden City faced a data breach earlier this year impacting the private information of 161,707 patients, the company said in a notice in October.

The Long Island Plastic Surgical Group, a collection of 13 locations in the metro area providing facial, body and reconstructive surgical treatments, said in a notice posted to its website that it was the victim of a cyberattack between Jan. 4 and 8. Data from 161,707 current or former patients was compromised, according to the U.S. Department of Health and Human Services' Office for Civil Rights, which tracks data breaches. 

A spokeswoman for the surgical group declined to comment, citing security concerns. She directed inquiries to the group’s online notice. The group notified clients of the breach on Oct. 4. 

After discovering evidence that “unauthorized access to our network” had taken place earlier this year, the group launched an investigation with the aid of outside cybersecurity professionals to determine what data may have been taken and how.

,“We discovered that a limited amount of personal information was removed from our network in connection with this incident,” the group said in its notice. The investigation ended Sept. 15.

Full names, Social Security numbers, birth dates, state identification numbers, financial account information, biometrics, medical information and clinical photographs were compromised in the breach, the practice said in its notice.

“We are committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it,” the practice said. “We continually evaluate and modify our practices and internal controls to enhance the security and privacy of personal information.”

The practice did not disclose the nature of the breach, but ransomware criminal organizations Radar and AlphV took credit for the cyberattack, according to Databreaches.net, a blog and news aggregator focused on data breaches.

Cybersecurity expert Steve Morgan said it’s common for investigations into breaches like these to conclude long after an initial incident has occurred.

“Sometimes an investigation to find out exactly what happened can take this long,” Morgan, founder of Cybersecurity Ventures, a media publisher and market researcher based in Northport, said in an email. “And sometimes much longer.”

Unfortunately for consumers, health care providers are a common target for criminal organizations that engage in cyber and ransomware attacks due to the abundance of private information they have access to.

“Health care providers are prime targets because they collect and store not only personally identifiable information such as names and email addresses, but also SSNs and payment data including credit cards with full details,” he said.

In its notice to patients, the practice encouraged clients to enroll in “complimentary credit monitoring services,” place fraud alerts and security freezes on their credit files, and review financial statements for any irregular activity.

While taking precautions is always preferable over taking action after the fact, Morgan said consumers have options to help protect themselves.

“Everyone should have multi-factor authentication (MFA) aka 2-factor authentication (2FA) turned on for all of their apps, most especially email and bank accounts,” Morgan said. “And in the aftermath, if they don't have this turned on, then they should immediately.”

Those with questions about the breach may call a dedicated line for inquiries at 855-508-7237,  9 a.m. to 9 p.m. Monday through Friday.