Long Island Plastic Surgical Group, a network of 13 practices in New York, has confirmed that a network breach compromised the protected health information (PHI) of 161,707 patients. The breach occurred in early January 2024 and implicates the ALPHV and Radar hacking groups.
What happened
Long Island Plastic Surgical Group, a network of 13 plastic surgery practices in New York, experienced a data breach between January 4 and January 8, 2024. External cybersecurity professionals confirmed the unauthorized access and exfiltration of patients’ PHI.
Their investigation was concluded on September 15, 2024, and determined that full names were compromised in conjunction with the following sensitive information: Social Security number, birth date, state identification, passport number, financial account information, medical/biometric, and clinical photographs.
Affected individuals were informed around October 4, 2024, and free credit monitoring services are offered to those whose Social Security numbers were involved.
Going deeper
Two cybercriminal groups, AlphV and Radar, coordinated this attack. AlphV, also known as BlackCat, is said to have locked the LIPSG files while Radar exfiltrated sensitive data. The two groups reportedly had a 50/50 agreement to split any ransom paid, with AlphV leading negotiations.
In subsequent direct communications with DataBreaches, Radar offered a sample of the stolen information, which included internal documents, employee information, and patient records.
The FBI has since seized Radar’s data leak site to prevent further exposure of stolen information.
Related: Healthcare under attack: The rise of cyber counteroffensive
Why it matters
Ransomware attacks like this can severely disrupt healthcare operations, compromise patients’ PHI, and lead to financial and reputational damage. Furthermore, the collaboration of hacking groups like AlphV and Radar calls on healthcare providers to implement multi-layered cybersecurity measures that mitigate the risk of potential data breaches.
The bottom line
As targeted cyberattacks become more sophisticated, healthcare organizations must use advanced threat detection, frequent audits, and multi-layered security measures to prevent future incidents.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
