Long Island Plastic Surgical Group data breach exposes 161,707 patients’ information

Long Island Plastic Surgical Group, a network of 13 practices in New York, has notified the U.S. Department of Health and Human Services’ Office for Civil Rights of a substantial data breach involving the protected health information (PHI) of 161,707 individuals. The breach occurred earlier this year, with unauthorized access confirmed between January 4 and January 8, 2024.

Following the breach, external cybersecurity experts were enlisted to assess the extent of the intrusion, which led to the exfiltration of sensitive data. A thorough review concluded on September 15, 2024, verified that personal details such as full names were compromised, along with additional sensitive identifiers including birth dates, Social Security numbers, driver’s license details, passport numbers, financial information, health insurance details, biometric data, and clinical photographs.

In its response, Long Island Plastic Surgical Group stated that there was no evidence of misusing the stolen data. Nonetheless, to mitigate potential risks, the group has offered complimentary credit monitoring services to individuals affected by the breach. It has also committed to enhancing its internal controls and data security protocols, although details of these measures remain undisclosed.

While Long Island Plastic Surgical Group did not confirm if ransomware was involved, the Radar threat group claimed the breach. According to a Radar spokesperson, the attack was executed in partnership with the ALPHV group; ALPHV purportedly managed the network intrusion while Radar handled data extraction. However, internal disputes reportedly followed the payment of a ransom to ALPHV, from which Radar claims to have received no compensation. In retaliation, Radar issued its ransom demand, threatening to publish the data if unpaid. This demand went unmet, prompting the group to initiate data leak proceedings.