LAS VEGAS (KLAS) — The FBI is investigating how cyber criminals obtained medical records and naked patient photos from a Las Vegas plastic surgery office, posting them online for ransom, the 8 News Now Investigators have learned.
The stolen information included sensitive personal information, such as names and Social Security numbers, and nude photos of patients taken before and after surgery, several patients and court documents said.
The hack predates others affecting the Las Vegas valley over the past year, including a cyberattack on MGM Resorts, which resulted in an estimated $100 million loss to the company, and another on the Clark County School District, which resulted in the sharing of student files.
Many of the photos, which show breasts and other sensitive areas, contain patients’ faces. About a dozen women have since filed a lawsuit against the office, Hankins & Sohn Plastic Surgery Associates, claiming the office did not do enough to protect their private and personal information.
From birthdays to birthmarks
The 8 News Now Investigators spoke with four women whose information was stolen. 8 News Now is not identifying the women over their fears they could be targeted for what is now out on the internet for the world to see.
“We went to an office that we thought was safe,” one woman said. “That was going to protect us. We paid a lot of money and look what’s happening.”
The four women agreed they wanted to change their lives for the better, but surgery was no enhancement.
“Was there any hesitation?” 8 News Now Investigator David Charns asked the group.
“I was excited,” one woman said. “It was a whole new open door for me.”
All four women had breast augmentations at Hankins & Sohn between late 2020 and early 2022, they said. The practice has offices in both Henderson and Las Vegas. All four women said they were happy or satisfied with the work. One woman paid $7,000, another upwards of $30,000 for a total body makeover, they said.
They did not pay for the added stress.
“Absolutely heartbreaking,” one woman said about her life post-hack. “I didn’t even want to leave my house. I didn’t even want to talk to anybody.”
In February, cybercriminals obtained access to the office’s network, downloading patient information and posting it online, a lawsuit and a letter to patients said. The hackers then posted the photos, along with full names, addresses, emails and other private personal information, including medical records.
None of the documents posted online are encrypted. It was unclear Monday how Hankins & Sohn was storing their data per HIPAA rules. A spokesperson for the office that oversees HIPAA-related investigations declined to comment.
“I’m beyond mortified that my info and my photos were leaked,” one woman said.
“And I’ve been hacked now,” another woman said. “It’s caused multiple effects.”
One woman said hackers obtained her bank account information and stole more than $1,000. The woman’s bank was able to remedy the theft.
“This case is about a real breach of trust,” said attorney Mark Bourassa, who was representing 10 women as part of a class-action lawsuit.
The hackers not only stole the information but in some cases, sent it, along with nude photos, to family and friends through patients’ email accounts.
Bourassa was one of those unexpectant recipients.
“I received an email from one of the hackers directing me to photos and information about one of these clients,” he said.
The lawsuit claims Hankins & Sohn did not do enough to protect patient information, leading to the hack. Documents the 8 News Now Investigators reviewed show more than 12,000 patients may be involved, according to an out-of-state attorney general’s office. The practice sent a letter to patients in March and April notifying them of the breach.
“On or about February 23, 2023, Hankins & Sohn became aware of suspicious activity relating allegations by an unknown actor that data was stolen from our network,” a letter, dated April 3, said. “We quickly took steps to investigate the validity of the claims and to assess the nature and scope of the activity and what information may have been affected. We are also working with law enforcement to investigate the activity. We learned that files were taken by the unknown actor prior to this date.”
The website with patient photos and data appeared in July.
“Mr. Hankins and Mr. Sohn continue to ignore the situation, we suppose they’re listening to some ‘experts’ and other ‘specialists’ opinions,” the hackers wrote on their website on Oct. 17. “It must be taken into account that it’s a huge number of clients and inevitably winnable cases for lawyers, so they will surely be advising not to engage into a dialogue with us.”
The women said since receipt of the letter, or brief phone calls to Hankins & Sohn asking about security, there has been no communication.
“And to this day, none of you have heard from them?” Charns asked the group.
“No,” the group replied.
A billion-dollar criminal enterprise
On Oct. 17, as the 8 News Now Investigators gathered interviews and documents for this story, the FBI issued an alert titled, “Cybercriminals are targeting plastic surgery offices and patients.” The public service announcement explains how hackers are obtaining the information through social engineering and then extorting businesses for profit.
“It’s easy,” a Las Vegas-based FBI supervisory special agent said. “It’s a billion-dollar industry for these bad guys.”
The FBI confirmed it was investigating the hack, though the special agent would not go into specifics, including where the hackers may be located. The website with patient information ends in a Russian domain, though the FBI said through virtual private networks, that means nothing.
“Can you describe why a cybercriminal would target a plastic surgery center?” Charns asked the FBI agent.
“The sensitivity of public health is out there,” the agent said.
The agent said criminals are pretending to be other people to get access to networks. For example, a person may call a business pretending to be from an information technology office. That caller would then coax the employee for sensitive log-in information and passwords.
It was not clear Monday how the hackers obtained access to Hankins & Sohn’s network, though the FBI specifically warned about similar “social engineering” attempts.
“When you have pictures of me, that makes it very personal,” the FBI agent said. “That’s what they’re going after is that.”
“That’s what they’re exploiting,” Charns said.
“Correct,” the FBI agent said.
‘I want to see justice served’
The women said the FBI was able to shut down the website once, though the bureau would not confirm, that. Last month, a new website came online, saying the surgeons were ignoring them and they planned to add more patient information and photos.
“To have this come out the way it did is literally heartbreaking,” one woman said.
A consent form for medical photography from Hankins & Sohn the 8 News Now Investigators obtained shows the women granted access to their photos for medical and research purposes, but all the women said they were told their faces would not be in the photos. Their faces and photos are also connected to their names and other information on the website.
“On top of that I’m getting absolutely humiliated,” one woman said. “It’s devastating.”
The woman said they feel like pawns in a cybercriminal’s game.
“Why talk about what happened?” Charns asked.
“Maybe to think twice and really do your research and ask if their photos are secured and that’s something I never asked — I never would have thought to ask that,” one woman said.
“What’s the best outcome?” Charns asked.
“I want to see justice served,” one woman said. “I want them to own up for what they did not. Not protecting our pictures. Not protecting our info. I want them to say that they were wrong for not having the security they’re supposed to have as a doctor’s office.”
Hankins & Sohn declined an on-camera interview, however, an attorney provided a written statement.
“Hankins and Sohn Plastic Surgery is devastated by the data breach which occurred at the hands of third-party criminal actors,” attorney Gary Schnitzer said. “Both our patients and our practice are suffering due to this intentional criminal activity. We continue to work with the FBI and other agencies to protect patient information and also to bring these bad actors to justice.”
Schnitzer declined to answer questions about past and current encryption practices or about paying a possible random, citing the ongoing lawsuits.
The Nevada Attorney General’s Office did not respond to a request about its possible involvement in the hack.
The FBI suggests securing all online accounts with complex passwords that differ from account to account. The bureau also advises setting up fraud alerts and security freezes.
Anyone who believes they are the victim of any online fraudulent activity can report it directly to the FBI at ic3.gov.