When the Center for Facial Restoration announced it had been hit by ransomware recently, the hack attack might have sounded like just another expensive cyber incident for a small business. But the hack of the rhinoplasty practice near Miami included another, darker threat. The criminals added another potential revenue stream to their enterprise — extorting patients by threatening release of potentially embarrassing photos.
So in addition to worrying about restoring data that had been encrypted with malware, Dr. Richard E. Davis had to worry about the publication of before and after photos that might humiliate patients.
This dual threat — criminal hackers stealing data before they scramble it with ransomware — parallels the recent global incident involving currency exchange company Travelex. It’s a disturbing new trend among computer criminal gangs.
When the Center for Facial Restoration announced on its website recently that it had been hit by ransomware, the firm’s website had to add this chilling warning.
“(Hackers) demanded a ransom negotiation, and as of November 29, 2019, about 15-20 patients have since contacted (the firm) to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met,” the warning said, “I filed a formal complaint with the FBI Cyber Crimes Center and two days later met with the FBI where they recorded detailed information regarding the cyberattack and ransom demands. The investigation is currently ongoing.”
It’s easy to imagine the seriousness of that kind of threat. On its website, the center says it specializes in repairing other rhinoplasty — or “nose job” — surgeries that left patients unsatisfied.
“Do you avoid cameras or social situations? Let cosmetic rhinoplasty restore your self confidence with a natural-looking, attractive nose that suits your face,” the website says. “Get ready to look at the camera and smile.”
The firm has not immediately responded for comment, so it’s unclear if more patients have been threatened with extortion. But Davis told HealthITSecurity.com that he hopes the damage was limited by recent security upgrades.
“While upgrading my defenses clearly won’t help those individuals whose data has already been stolen, there is reason to suspect that the theft of patient photographs may be limited to only a very small number of individuals – mostly those patients who used email to send or receive their photographs – so the upgrades may prove useful,” Davis said.
But the trend has security professionals worried.
“At least one other ransomware group is also routinely stealing data prior to encrypting it: Maze,” said Brett Callow, a threat analyst who studies ransomware for security firm Emsisoft. “This is a recent and concerning development, especially given how susceptible the public and private sectors seem to be ransomware attacks.”
The double-whammy of ransomware and data breach can leave victim firms scrambling to respond.
“An organization whose data is stolen has no good options available,” Callow said. “Refusal to pay will probably result in the data being published; payment will get them a pinky promise that the data will be deleted. And, as that pinky promise is being made by a criminal enterprise, it carries very little weight.”
Emisoft’s 2019 report about ransomware victims found that nearly 1,000 government agencies, non-profits, and medical organizations were victims of such criminal attacks last year — and there no indication the attacks are slowing down. The dual threat gives small organizations something else to worry about.
“I am dismayed to report (our office)… was the victim of a criminal cyberattack,” Davis says on his website. “I deeply regret that individuals currently or formally under my care have been victimized by this criminal act, and I urge you to monitor your financial information closely. … . I am sickened by this unlawful and self-serving intrusion, and I am truly very sorry for your involvement in this senseless and malicious act.”