Medical Records Heist: FBI Warns of Cyber Threats to Plastic Surgery Practices

Category: Cybercrime | Industry: Healthcare | Source: FBI

In a recent advisory, the FBI has issued a warning regarding cybercriminals who have set their sights on plastic surgery offices, surgeons, and patients, with the nefarious aim of harvesting sensitive medical records and personally identifiable information, sometimes including sensitive photographs. The threat actors are observed to initiate a three-phase attack strategy to achieve their objective. As outlined in the public service advisory the three phases include (1) data harvesting, (2) data enhancement, and (3) extortion.

During the first phase, the attacker utilizes spoofed emails or phone numbers to initiate communication with the target whilst deploying malware designed to pilfer sensitive data. The FBI warns that "cybercriminals harvest electronically protected health information (ePHI), which includes sensitive information and photographs." In phase 2, the cybercriminals intensify their efforts by gathering additional victim information through open-source channels, primarily social media, and leveraging social engineering techniques to augment the stolen ePHI data.

This enhanced dataset becomes a tool for extortion, setting the stage for the final phase. The cybercriminals will weaponize the stolen information, contacting the surgeon and/or patient demanding cryptocurrency payments, and threatening to share the stolen ePHI with victims' friends, family, and colleagues. Additionally, they create public-facing websites displaying the data, coercing victims into making payments to prevent further exposure. The FBI encourages the public to maximize their privacy and security settings on social media platforms and be mindful of their engagements online and over the phone. Victims of scams are also advised to file a complaint with the Internet Crime Complaint Center (IC3).