Patients of a hacked facial surgery company in Florida are being individually threatened by cyber-criminals, who are demanding money in return for not releasing stolen personal information to the public.
The Center for Facial Restoration, Inc. (TCFFR), located in Miramar, became the victim of a cyber-attack in November last year.
In a statement published on the TCFFR website, plastic surgeon and company founder Dr. Richard Davis wrote: "On November 8, 2019, I received an anonymous communication from cyber criminals stating that my clinic’s server [was] breached."
"The hackers claimed to have 'the complete patient’s data' for TCFFR that 'can be publicly exposed or traded to third parties.'"
Along with the message that his business had been compromised, Davis received a demand for an undisclosed ransom.
The ambitious cyber-criminals, not content with whatever money they may have been able to extort from the specialist rhinoplasty company, then began demanding ransoms from individual TCFFR patients.
"They demanded a ransom negotiation, and as of November 29, 2019, about 15–20 patients have since contacted TCFFR to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met," wrote Davis.
Davis believes up to 3,500 former and current patients may have been affected by the cyber-attack. Compromised data may include driving licenses, passports, home addresses, email addresses, phone numbers, patient photographs, and credit card payment receipts.
The incident was reported to the FBI's Cyber Crimes Center on November 12, and on November 14 Davis met with the Bureau to pass on detailed information regarding the attack and the ransom demands.
Davis wrote: "The investigation is currently ongoing. The FBI requests that patients receiving ransom demands file an independent cybercrime complaint online at www.ic3.gov."
Since the attack, Davis has installed new hard drives, firewalls, and virus/malware detection software in hopes of preventing a similar incident from happening.
"I am sickened by this unlawful and self-serving intrusion, and I am truly very sorry for your involvement in this senseless and malicious act," wrote Davis.
The doctor published a public notice concerning the incident as the company's data storage practices made it difficult to contact patients individually.
"Because we store PII as the scan of the patient’s intake demographic questionnaire, and not in an electronic demographic database, obtaining contact information in order to individually notify all 3,500 patients has been painstakingly slow and labor intensive, and access to the data has been hindered by ongoing IT service disruptions," wrote Davis.