In October 2023, the ransomware group Hunters International claimed responsibility for hacking the plastic surgery practice of Dr. Jaime S. Schwartz, a Beverly Hills-based plastic surgeon.
The hackers allegedly downloaded 1.1 terabytes of patient data, which included nearly 250,000 files containing information like nude photographs and videos of patients taken during medical consultations and surgical procedures. Despite the severity of the breach, Dr. Schwartz did not notify his patients, the California Attorney General’s Office, or the U.S. Department of Health and Human Services (HHS). Then, in March 2024, his practice was reportedly hacked again, exposing additional patient data.
It wasn't until January 2025 that Schwartz sent notifications to affected individuals, claiming he had only discovered the breach on June 27, 2024, and completed an electronic discovery process on January 2, 2025. By this time, the hackers had already publicly leaked patient names, contact information, and explicit photos online, even attempting to extort patients directly.
As a result of these delays, on February 22, 2025, eight anonymous patients filed a class-action lawsuit against Schwartz in federal court in the Central District of California, accusing him of failing to provide timely breach notifications as required under federal and state laws. In February 2024, the Medical Board of California had publicly reprimanded Schwartz for unrelated violations involving aiding the unlicensed practice of medicine.
According to DataBreaches.Net, “As DataBreaches reported, Schwartz ignored attempts to acquire further information about the alleged breach and there was no evidence that he reported the incident to the California Attorney General’s Office or the U.S. Department of Health and Human Services. Periodic checks of HHS’s public breach tool found no indication that the incident was reported to HHS’s site for breaches affecting more than 500 patients.
Now CourtWatch, in collaboration with 404 Media, reports that a class action lawsuit has been filed against Schwartz by eight “Doe” patients. The complaint alleges the doctor did not timely notify patients that his practice was allegedly hacked twice by Hunters International.”
Patients deprived of timely notification are left vulnerable, unable to take immediate steps to protect themselves from potential identity theft. It shows a failure to act in accordance with both federal and state laws, and potentially HIPAA requirements.
If found to be a HIPAA covered entity, Schwartz may face penalties from the HHS for failing to comply with federal notification requirements. The legal consequences could culminate in further scrutiny from the California Medical Board, especially given his prior reprimand for unrelated ethical violations.
Related: HIPAA Compliant Email: The Definitive Guide
Sharing before-and-after photos requires patient authorization.
Practices must report breaches affecting fewer than 500 patients to affected individuals and HHS by March 1 of the following year. Breaches affecting 500 or more patients must be reported within 60 days to patients, HHS, and media outlets.
Practices should implement robust security measures, conduct regular risk assessments, ensure employee training on HIPAA, and maintain up-to-date policies and procedures to prevent data breaches.