Nov 082017
 November 8, 2017  Posted by  Breaches, Healthcare, Non-U.S.

This is the type of media coverage that makes me grit my teeth. Publications speculating about what “royal” may have had what type of plastic surgery, and how they might be blackmailed or extorted about it by the hackers known as TheDarkOverlord.

In this case, the breach being discussed was a hack of a plastic surgery specialty group known as London Bridge Plastic Surgery (LBPS) in the U.K.

This is not the first hack and extortion attempt involving a plastic surgery clinic in 2017. Earlier this year, I had reported on a similar type of situation in Lithuania, but in the Lithuania case, the hackers put the patient photos up for sale on the dark web fairly quickly after offering to sell the pictures back to their owners or the affected patients.

What makes the London Bridge Plastic Surgery hack and extortion demand even worse from my perspective is that many of the surgeries performed at LBPS are gender (sex) reassignment surgeries.  Yes, there are patients who just wanted a nose job or boob job or tummy tuck, etc., but for some patients, the surgery was to radically change their appearance from male to female genitalia or vice versa.

This blogger had known about the hack and actually had a number of patient files before another news outlet announced the breach publicly. The files that I had been provided by the hackers as proof of the hack included extremely sensitive pictures taken before, during, and after gender reassignment surgery.  Those files were in folders with the patients’ names as the folder names. A quick Google search had found those patients and their home addresses.

In fact, although the hackers had not (yet) told me the name of the surgeon or practice, I had actually figured out that it was LBPS, but because I had agreed not to publish anything just yet, I had not revealed anything.  And I was hoping – somewhat against hope – that the doctor(s) would decide to go public and announce the breach themselves and start notifying their patients so that the patients would find out from them and not from the media. That was not to be as Joe Cox of The Daily Beast wound up breaking the story.

As part of their strategy to increase pressure on a plastic surgery clinic to pay extortion, TheDarkOverlord sent a few journalists highly sensitive patient pictures and data. Screenshot by; patient names redacted by 

To be clear: I did not contact any of the patients to ask their feelings about this breach. I still haven’t, because it’s not clear to me whether all patients have been notified and I really don’t want to be the one to break such potentially distressing news to patients who have likely already undergone a lot of stress and anxiety in their lives.

This is the type of patient data breach that has always been on the level of  “nightmare” for me as a privacy advocate and as a health care professional. And while media reports do acknowledge how serious this type of breach can be, too many news outlets – which I will not link to – seem to be focused on the fact that the hackers mentioned that there were pictures of “royals” in there.

Note that the hackers did not actually claim British or U.K. royals, although it would not be particularly surprising. And frankly, I have no desire to, nor intention of, going through every name in the files I received to determine who might be a royal or some kind of celebrity.

Because it doesn’t matter to me.

What matters to me is that some people took serious measures to change the quality of their lives, and medical teams worked professionally and diligently to provide the highest level of surgical care and compassion.

And it all may have gone to hell because they did not secure the patient files adequately against attackers like TheDarkOverlord.

Now you can argue that TheDarkOverlord are highly skilled and sophisticated hackers, but I have no information as to how TDO gained a foothold in LBPS because the hackers always politely decline to answer any of my questions about their methods. So it could be as simple as the practice leaving Remote Desktop Protocol enabled and using a weak password for it. Until LBPS issues some public report as to how this happened or TDO decides to reveal their methods, we really won’t know.

Here in the U.S., lawsuits against the clinic would already have been filed, although some patients might not want their medical details made public as part of any litigation. In the U.K., there seems to be much less breach-related litigation. And that’s not necessarily a bad thing, although it does mean that we find out about fewer cases in the U.K.

In any event, even though this breach is almost out of the usual news cycle, let’s keep in mind that the hackers still have all the files and pictures they acquired. Will they reach out to individual patients to try to extort them? Will they put the data up for sale on the dark web? And will we even know what happens next, if anything?

Some nightmares go on for longer than a 15-minute news cycle.

Sorry, the comment form is closed at this time.