FBI Warning: Cybercriminals are Targeting Plastic Surgery Offices and Patients for Extortion
FBI WARNING Alert Number: I-101723-PSA – October 17, 2023
SCARS Introduction to FBI Warning:
The FBI Warning is about Cybercriminals are increasingly targeting plastic surgery clinics in order to hack into their databases and access patient files. The goal of these attacks is often to extort money from the clinics or their patients.
Cybercriminals use a variety of methods to hack into plastic surgery clinics, including phishing attacks, ransomware attacks, and software vulnerabilities. Once they have gained access to a clinic’s database, they can steal patient files that contain sensitive information such as names, addresses, phone numbers, email addresses, medical records, and before-and-after photos.
The FBI warns that Cybercriminals then use this information to extort money from the clinic or its patients. They may threaten to release the sensitive information to the public, sell it to third parties, or use it to commit identity theft.
In some cases, cybercriminals may also target individual patients directly. They may contact patients via email or social media and threaten to release their sensitive information if they do not pay a ransom.
Plastic surgery clinics are particularly vulnerable to cyberattacks because they often store a large amount of sensitive patient data. Additionally, many plastic surgery clinics are small businesses that may not have the resources to invest in robust cybersecurity measures.
FBI Warning About Plastic Surgery Extortion
The FBI is warning the public about cybercriminals who target plastic surgery offices, surgeons, and patients to harvest personally identifiable information and sensitive medical records, including sensitive photographs in some instances. Once successful, cybercriminals use social engineering techniques to enhance the harvested data and extort individuals for cryptocurrency.
FBI Warning about this Scan
- Phase 1 – Data Harvesting
Using technology to disguise their phone numbers and email addresses (“spoof”), cybercriminals use phishing to deploy malware to plastic surgery offices. Once successful, cybercriminals harvest electronically protected health information (ePHI), which includes sensitive information and photographs.
- Phase 2 – Data Enhancement
Cybercriminals use open-source information, including social media, and social engineering techniques to enhance the harvested ePHI data of plastic surgery patients. Cybercriminals use the enhanced data as leverage for extortion in Phase 3 and may use it for other fraud schemes.
Cybercriminals contact plastic surgeons and their patients via social media accounts, emails, text messages, or messaging apps, and ask for payment to prevent sharing of their ePHI. To exert pressure on victims for extortion payments, cybercriminals share the sensitive ePHI to victims’ friends, family, or colleagues, and create public-facing websites with the data. Cybercriminals tell victims they will remove and stop sharing their ePHI only if an extortion payment is made.
Tips To Protect Yourself
- Review profile settings in your social media accounts to strengthen privacy. Preferably, make your account private and limit what can be posted by others on your profile. Audit friend lists to ensure they consist of and are visible to people you know. Only accept friend requests and follow from people you know. Enable two-factor authentication to log in.
- Secure accounts (e-mail, social media, financial, bill pay) by creating unique and complex passwords for login; consider using a password manager to help you remember them.
- Monitor bank accounts and credit reports for any suspicious activity; consider placing a fraud alert or security freeze on your credit reports to prevent unauthorized access.
The FBI requests victims report these fraudulent or suspicious activities to the FBI IC3 at www.ic3.gov. Be sure to include as much information as possible.
- The name of the person who contacted you.
- Method of communication used, to include websites, emails, and telephone numbers.
- The wallet address(es) or bank account number(s) for extortion payments and recipient name(s), if provided.
If the crime involves cryptocurrency it should also be reported to the U.S. Secret Service – visit reporting.AgainstScams.org to learn more.