Beverly Hills surgeon slammed for data breach silence

In October 2023, the ransomware group Hunters International claimed responsibility for hacking the plastic surgery practice of Dr. Jaime S. Schwartz, a Beverly Hills-based plastic surgeon.

What happened 

The hackers allegedly downloaded 1.1 terabytes of patient data, which included nearly 250,000 files containing information like nude photographs and videos of patients taken during medical consultations and surgical procedures. Despite the severity of the breach, Dr. Schwartz did not notify his patients, the California Attorney General’s Office, or the U.S. Department of Health and Human Services (HHS). Then, in March 2024, his practice was reportedly hacked again, exposing additional patient data. 

It wasn't until January 2025 that Schwartz sent notifications to affected individuals, claiming he had only discovered the breach on June 27, 2024, and completed an electronic discovery process on January 2, 2025. By this time, the hackers had already publicly leaked patient names, contact information, and explicit photos online, even attempting to extort patients directly. 

As a result of these delays, on February 22, 2025, eight anonymous patients filed a class-action lawsuit against Schwartz in federal court in the Central District of California, accusing him of failing to provide timely breach notifications as required under federal and state laws. In February 2024, the Medical Board of California had publicly reprimanded Schwartz for unrelated violations involving aiding the unlicensed practice of medicine.

What was said 

According to DataBreaches.Net, “As DataBreaches reported, Schwartz ignored attempts to acquire further information about the alleged breach and there was no evidence that he reported the incident to the California Attorney General’s Office or the U.S. Department of Health and Human Services. Periodic checks of HHS’s public breach tool found no indication that the incident was reported to HHS’s site for breaches affecting more than 500 patients.

Now CourtWatch, in collaboration with 404 Media, reports that a class action lawsuit has been filed against Schwartz by eight “Doe” patients. The complaint alleges the doctor did not timely notify patients that his practice was allegedly hacked twice by Hunters International.”

Why it matters

Patients deprived of timely notification are left vulnerable, unable to take immediate steps to protect themselves from potential identity theft. It shows a failure to act in accordance with both federal and state laws, and potentially HIPAA requirements. 

What happens next 

If found to be a HIPAA covered entity, Schwartz may face penalties from the HHS for failing to comply with federal notification requirements. The legal consequences could culminate in further scrutiny from the California Medical Board, especially given his prior reprimand for unrelated ethical violations.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Can plastic surgery practices share before-and-after photos?

Sharing before-and-after photos requires patient authorization.

How must plastic surgery practices respond to a data breach?

Practices must report breaches affecting fewer than 500 patients to affected individuals and HHS by March 1 of the following year. Breaches affecting 500 or more patients must be reported within 60 days to patients, HHS, and media outlets. 

How can plastic surgery practices prevent data breaches?

Practices should implement robust security measures, conduct regular risk assessments, ensure employee training on HIPAA, and maintain up-to-date policies and procedures to prevent data breaches.