Reckless data storage at a plastic surgery practice led to embarrassment for both patients and the doctor. In a bizarre twist, not only did the hackers publish patient photos on the internet, they also posted explicit videos of Dr. Gary Motykie who owns the practice in Los Angeles. Apparently he had stored his own personal videos on the medical practice’s server.
The breach was first reported on by an NBC4 news affiliate in Los Angeles on July 10. A patient called the news station after she was contacted by the hackers via email. They sought payment for removing her data since the doctor refused their extortion demand of $2.5 million.
On July 17, DataBreaches.net picked up the story, reporting also on another plastic surgery data breach at Beverly Hills Plastic Surgery around the same time. The cyber attacks at the two practices appear not to be from the same attacker.
According to Dr. Motykie’s breach report to the Maine Attorney General, he learned on or about May 9 that a third party was in possession of patient data. The following patient information was compromised:
- First and last name
- Social Security Number (if provided)
- Address
- Driver’s license or identification card number
- Financial account or payment card number, in combination with any required CVV code
- Intake forms, which may include medical information and history
- Images taken in connection with the services rendered
- Health insurance information (if provided)
A total of 3,461 patients have been affected.
The breach was also reported to the California Attorney General on July 19, but has not been reported to the Office for Civil Rights (OCR) as of this date, as required by HIPAA.
Dr. Motykie has offered affected patients two years of credit monitoring services, which at least one of his patients says is not nearly enough to make up for the pain and suffering she has endured. According to the NBC4 news report, Elaina Shaffey has filed a lawsuit claiming negligence and intentional infliction of emotional distress.
An internet search shows at least one class action law firm advertising to find victims of the Motykie breach to join a lawsuit.
Plastic Surgeons are Targets for Cyber Attacks
Several other plastic surgeons have experienced cyber attacks during 2023, including Hankins & Sohn Plastic Surgery Associates in Las Vegas and, as noted above, Beverly Hills Plastic Surgery.
Moreover, according to a July 27 NBC4 follow-up report regarding the breach at Dr. Motykie’s office:
On July 6, the American Board of Plastic surgery sent a message to its members, the third one since May, warning of “fraudulent ransomware aimed at plastic surgeons.” The alert explains that emails appearing to come from the board office have an attachment or link that when clicked on, “launches the ransomware and combs for patient data and photos.” The FBI is investigating.
Follow HIPAA to Prevent Breaches (and Defend Lawsuits)
Medical practices that experience healthcare data breaches face investigations from OCR (for HIPAA violations) and state attorneys general (for violating state privacy laws). Depending on their level of care, their policies, procedures, and cybersecurity protections, they could end up paying big settlements. The practices also face lawsuits from patients for breach of privacy, negligence, and breach of contract, among other claims.
Recovering from a personal and embarrassing breach like this will take time. But you can rebuild trust by following HIPAA, strengthening cybersecurity practices, doing a risk analysis, and communicating all your improvements to your patients and the wider public.