Data Breach

Ransomware Attack Targets Another Plastic Surgery Group

Parker Bytes March 20, 2024

I recently became privy to a rather worrying cybersecurity attack on a plastic surgery group based on Long Island. Affectionately known as LIPSG, it has numerous practices scattered across New York. The shocking event, which unfolded on March 8th, saw this trustworthy healthcare group fall victim to a ruthless ransomware attack. Chaps, it was a modern-day digital heist that could leave an indelible mark on patients and employees alike.

Here’s a dash of context before we crack on. Two notorious hacker groups, cheekily named AlphV and Radar, conspired to commit the virtual crime. While the former cunningly locked all of the files, the latter focused on making off with the data. Long story short, the plan was to split the spoils fifty-fifty. AlphV were in charge of negotiations for the hacker duo, while some chap purportedly named Dr. Glickman held the fort for LIPSG.

Tales of the skirmishes between Dr. Glickman and Radar’s representative are juicy. According to the representative, their negotiation bien sûr dropped the ransom demand to a cool $1 million as Dr. Glickman supposedly bandied about a tall tale of bankruptcy and FBI meddling in their insurance payments. However, it’s said that AlphV managed to snag half of the ransom payment for a decryption key and legged it, leaving Radar high and dry with a bundle of purloined data yet to be erased.

Debunking wild claims and piecing together the truth is another kettle of fish entirely. This is especially difficult when the alleged Dr Glickman more or less told Radar to do one in the face of their demands to communicate. Tactics turned a tad aggressive on the 8th when Radar threatened, via email, to cause LIPSG “as much damage as possible”.

While the narrative to this point is nail-biting enough, the sticky wicket in this tale came next. DataBreaches tried to reach out to LIPSG over thrice, but were met with deafening silence and a severe lack of helpfulness from certain staff members. They resorted to contacting a few patients directly, sharing, rather revealing, leaked data with one woman, but also got no response.

What’s even more extraordinary is that some plastic surgery groups have the audacity to use the patient’s real names in filenames containing (brace yourselves) nude photographs of patients! I mean, this does beg the question, why hasn’t anybody — the HHS, APS, CISA, or the FBI— given plastic surgeons a serious wake-up call about this mortifying practice?

With LIPSG keeping tight-lipped about this alleged attack, we must remember that a good chunk of this is unconfirmed. Nonetheless, the pesky Radar affiliates claim that LIPSG was attacked on January 7th and had promptly informed their Board of Directors. If that’s on the level, patients should’ve been notified and an incident report filed with the HHS.

Up to this point, there’s been nary a peep from LIPSG, so DataBreaches has even bothered the NYS Attorney General’s Office to check if they’re in the know about the incident.

Chaps, do remember, that the poor victims (LIPSG) were given until March 24th to engage with Radar. So, stick around while we monitor the situation but without sharing any sensitive patient or staff data. After all, we must respect the privacy and dignity of all affected.

Oh, and before I sign off, just a quick additional nugget of news. DataBreaches did receive an email from LIPSG post this update indicating their willingness to engage. So, we’re hoping for a helpful response this time. Let’s see how this one unfolds, shall we?

by Parker Bytes