FBI: Hackers Are Extorting Plastic Surgery Patients

Cybercriminals are harvesting sensitive personally identifiable information (PII) and medical records from plastic surgery offices to extort doctors and patients, the FBI has revealed.

The public service announcement issued on October 17, 2023, warned that once harvested, attackers demand a ransom from plastic surgeons and patients to prevent sharing this data, which often includes sensitive photographs.

How the Attackers Operate

The FBI highlighted the three-stage approach cybercriminals are using to launch these scams:

• Phase 1 – Data Harvesting. The attackers send phishing messages to plastic surgery offices with the aim of deploying malware. Once the malware is executed, they harvest electronically protected health information (ePHI) and PII.
• Phase 2 – Data Enhancement. Cybercriminals then utilize open-source information, such as social media accounts, and social engineering techniques to “enhance” the harvested ePHI data, to use as leverage for extortion and other attacks.
• Phase 3 – Extortion. Plastic surgeons and their patients are then contacted via social media accounts, emails, text messages or messaging apps to make the extortion demand. Sometimes, attackers exert extra pressure on victims by sharing the sensitive ePHI to family, friends and colleagues, and even create public-facing websites with the data. The cybercriminals tell victims they will only stop sharing this data if an extortion payment in cryptocurrency is made.

How to Protect Against These Attacks

The FBI set out the following advice for plastic surgeons and their patients to reduce the risk of being targeted in this way:

1. Strengthen privacy settings in your social media accounts, such as making your account private. Additionally, friend lists should be audited to ensure they consist of and are visible to people you know, and only accept friend requests and follows from people you know. Two-factor authentication should also be enabled when logging in to your account.
2. Ensure all online accounts, such as email and social media, are secured with unique and complex passwords.
3. Regularly monitor bank accounts and credit reports for any suspicious activity, and consider placing a fraud alert or security freeze on your credit reports to prevent unauthorized access.
4. Report any fraudulent or suspicious activities to the FBI, providing details like the name of the person who contacted you, the method of contact and crypto wallet addresses/bank account numbers provided from extorters.