HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Over 161,000 impacted in Long Island Plastic Surgical Group cyberattack

Written by Caitlin Anthoney | Oct 30, 2024 1:12:07 PM

Long Island Plastic Surgical Group, a network of 13 practices in New York, has confirmed that a network breach compromised the protected health information (PHI) of 161,707 patients. The breach occurred in early January 2024 and implicates the ALPHV and Radar hacking groups.

 

What happened  

Long Island Plastic Surgical Group, a network of 13 plastic surgery practices in New York, experienced a data breach between January 4 and January 8, 2024. External cybersecurity professionals confirmed the unauthorized access and exfiltration of patients’ PHI.

Their investigation was concluded on September 15, 2024, and determined that full names were compromised in conjunction with the following sensitive information: Social Security number, birth date, state identification, passport number, financial account information, medical/biometric, and clinical photographs.

Affected individuals were informed around October 4, 2024, and free credit monitoring services are offered to those whose Social Security numbers were involved.

 

Going deeper  

Two cybercriminal groups, AlphV and Radar, coordinated this attack. AlphV, also known as BlackCat, is said to have locked the LIPSG files while Radar exfiltrated sensitive data. The two groups reportedly had a 50/50 agreement to split any ransom paid, with AlphV leading negotiations.

In subsequent direct communications with DataBreaches, Radar offered a sample of the stolen information, which included internal documents, employee information, and patient records.

The FBI has since seized Radar’s data leak site to prevent further exposure of stolen information.

Related: Healthcare under attack: The rise of cyber counteroffensive

 

Why it matters  

Ransomware attacks like this can severely disrupt healthcare operations, compromise patients’ PHI, and lead to financial and reputational damage. Furthermore, the collaboration of hacking groups like AlphV and Radar calls on healthcare providers to implement multi-layered cybersecurity measures that mitigate the risk of potential data breaches.

 

The bottom line  

As targeted cyberattacks become more sophisticated, healthcare organizations must use advanced threat detection, frequent audits, and multi-layered security measures to prevent future incidents.

 

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

See also: How to respond to a data breach

 

What should individuals do if their data has been compromised?

If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.

 

Are there any costs associated with placing a fraud alert or credit freeze?

No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.