A celebrity Beverly Hills plastic surgeon appeared on TV shows, including “botched” and “the Doctors.” Tell them about the data breach.
Eight patients filed a class action lawsuit earlier this month, saying Dr. Jaime Schwartz had not maintained sufficient cybersecurity despite multiple warnings, resulting in the stolen and published online.
Schwartz’s office did not respond to a request for comment this week.
The complaint allegedly said the hacked data included the patient’s name, phone number and home address, as well as driver’s license, insurance, credit card and medical information. The lawsuit also said the hacked were photos and videos of the patient’s naked body and some of his clothes, including images of the surgery under anesthesia.
The lawsuit states that Schwartz allegedly failed to promptly or appropriately notify patients of the initial or subsequent hacker attack in September 2023, or address security weaknesses between incidents.
According to the complaint, he notified patients only in January this year after some people found information about the violation online. The lawsuit says he did not provide the required notice to the California Attorney General’s Office or the state Department of Health and Human Services.
“Despite knowing that his patients’ most private medical data are in the hands of malicious actors, Dr. Schwartz waited for nearly 10 months to inform them,” the complaint said. “Finally, starting at their nude photos and home addresses,” he said. After posting online (anyone with an internet connection), Dr. Schwartz sent out a rough, vague and misleading data breach notification. “
The lawsuit says the hackers make patients vulnerable to identity theft and have caused serious emotional distress due to “humiliation, shock, worry and anxiety and anxiety” because they know their information and photos may be or have been posted online of.
Their attorney Damion Robinson said the compensation and punitive damages the plaintiffs sought could be in “tens of millions of dollars.”
The plaintiff claims Schwartz, a well-known plastic surgeon with more than 189,000 followers in Instagram and offices in Beverly Hills and Dubai, his need to protect customer data. There is sufficient warning but failed to take the necessary steps to ensure his network.
“The Dr. complained: “Schwartz and others in the medical field (in the field of plastic surgery) have been warned for years by government agencies and professional organizations that they are targets of hackers seeking ransom and ransomware data,” the doctoral complaint said. ” The complaint said.
Over the past few years, hackers have targeted plastic surgery practices because the sensitive data they store can be used to promote identity theft and try to ransom doctors and patients.
In a report released in 2019, the American Medical Association. Point out 83% of doctors Has experienced some form of cyberattack and described cybersecurity as a “patient security issue.”
according to Report from databreaches.net, Between 2017 and 2023, at least 13 public reports on plastic surgery habits. In 2023, the FBI released Public Service Announcement The criminals are targeting the plastic surgery office “grabbing personal identities information and sensitive medical records, including sensitive photos in some cases.”
The lawsuit says the hackers have released personal information of 30 Schwartz’s patients and threatened to continue doing so until they receive the ransom.
The lawsuit said that after reporting the first hack online, a few patients contacted Schwartz, who said only a few were affected and other patients’ information was safe.
Following the second data breach in March 2024, the hackers created a public website that announced its actions and shared photos and data of patients. According to the complaint, Schwartz didn’t inform his patients until January when he sent the following information to some of them:
“Our office discovered on June 27, 2024 that unauthorized third parties utilized a third-party provider’s certificate to access the practice’s medical billing and practice management system. After the incident was discovered, we worked with a dedicated third methodology Medical incident response company interaction conducts forensic investigations and determines the extent of compromise. The investigation determines that the data is unauthorized. After the electronic discovery ended on January 2, 2025, it is determined that some of your personal information exists in the affected data set. Then, we took measures to notify you of the incident as soon as possible.”
