Long Island Plastic Surgical Group, a network of 13 practices in New York, has confirmed that a network breach compromised the protected health information (PHI) of 161,707 patients. The breach occurred in early January 2024 and implicates the ALPHV and Radar hacking groups.
Long Island Plastic Surgical Group, a network of 13 plastic surgery practices in New York, experienced a data breach between January 4 and January 8, 2024. External cybersecurity professionals confirmed the unauthorized access and exfiltration of patients’ PHI.
Their investigation was concluded on September 15, 2024, and determined that full names were compromised in conjunction with the following sensitive information: Social Security number, birth date, state identification, passport number, financial account information, medical/biometric, and clinical photographs.
Affected individuals were informed around October 4, 2024, and free credit monitoring services are offered to those whose Social Security numbers were involved.
Two cybercriminal groups, AlphV and Radar, coordinated this attack. AlphV, also known as BlackCat, is said to have locked the LIPSG files while Radar exfiltrated sensitive data. The two groups reportedly had a 50/50 agreement to split any ransom paid, with AlphV leading negotiations.
In subsequent direct communications with DataBreaches, Radar offered a sample of the stolen information, which included internal documents, employee information, and patient records.
The FBI has since seized Radar’s data leak site to prevent further exposure of stolen information.
Related: Healthcare under attack: The rise of cyber counteroffensive
Ransomware attacks like this can severely disrupt healthcare operations, compromise patients’ PHI, and lead to financial and reputational damage. Furthermore, the collaboration of hacking groups like AlphV and Radar calls on healthcare providers to implement multi-layered cybersecurity measures that mitigate the risk of potential data breaches.
As targeted cyberattacks become more sophisticated, healthcare organizations must use advanced threat detection, frequent audits, and multi-layered security measures to prevent future incidents.
A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.