Cybercriminals are targeting plastic surgery clinics to steal sensitive medical records they can use to extort patients and surgeons, the FBI said in a public service announcement on Tuesday.
Criminals obtain personally identifiable information, sensitive medical records, and, in some cases, “sensitive photographs,” the FBI stated. They use social engineering techniques to build on this data and extort victims, demanding anonymous cryptocurrency as payment.
A Multi-Stage Scam
In a statement detailing the scam, the FBI said cybercriminals spoof (randomize) their phone numbers and email addresses and deploy malware to plastic surgery offices through phishing techniques. The malware is capable of extracting private medical data, including photographs.
Using open-source information found on social media and social engineering techniques, cybercriminals “enhance” the harvested electronically protected health information (ePHI). This data will ultimately serve as leverage for extortion and may also be used in other fraudulent schemes.
Criminals contact victims — including plastic surgeons and their patients — through social media, emails, and messaging apps, demanding payment and threatening to share their sensitive medical data. To apply pressure, they may share this private data with victims’ families and acquaintances or even create public websites displaying the data. They usually promise to halt the sharing and remove the data when a ransom payment is made.
Criminals are also known to sell stolen private data on the dark web. In 2019, the personal data of thousands of plus-sized women, stolen in a data breach, was offered for sale on the dark web.
U.S. Healthcare System’s Breach Value
The U.S. healthcare system has a staggering “Potential Breach Value” of over $3.2 billion, according to Tausight’s 2023 ePHI Intelligence Report.
“We’ve found that few healthcare organizations – regardless of their size or type – know the full scope of their data risk. This exposes them to increasing risk of OCR fines and penalties, and their patients to becoming victims of cyber crime,” David Ting, founder and chief technology officer at Tausight, said.
Reporting Suspicious Activities
The FBI recommends setting your social media accounts to private. This will limit the exposure of your personal details. Also, ensure you know all the people who follow you.
The FBI also urged victims to report fraudulent or suspicious activities to the IC3 unit. When reporting, it’s essential to provide as much information as possible, including the name of the person who contacted you, the communication method used, and any cryptocurrency wallet addresses or bank account numbers provided for extortion payments.
In addition to the FBI’s security tips, we recommend using two-factor authentication across all your accounts to make them difficult to breach. And use strong and unique passwords on your accounts — passkeys, preferably.
Also, check your financial reports for anomalies and unauthorized activity, and consider talking to your financial institution regarding fraud alerts for extra protection.
For more news, follow us on X (Twitter), Threads, and Mastodon!
