Nude photos of Beverly Hills plastic surgery patients exposed in data hacks, lawsuit alleges

Yahoo

22-02-2025

A celebrity Beverly Hills plastic surgeon, who has appeared on television shows including "Botched" and "The Doctors," is being sued by patients who allege that their nude photos were published online after he was hacked — twice — and that he waited months to inform them of the data breaches.
Eight patients filed a class-action lawsuit earlier this month alleging that Dr. Jaime Schwartz had failed to maintain adequate cybersecurity despite multiple warnings, resulting in highly sensitive information being stolen and posted online.
Schwartz's office did not respond to a request for comment this week.
The hacked data allegedly included patients' names, phone numbers and home addresses, as well as their driver's license, insurance, credit card and medical information, according to the complaint. Also hacked were photos and videos of patients nude and partially clothed, including images of them undergoing surgery while under anesthesia, the lawsuit alleges.
Read more: Phishing attack hits L.A. County public health agency, jeopardizing 200,000-plus residents' personal info
Schwartz allegedly failed to notify patients of either the initial September 2023 hack or a subsequent one in March 2024 in a timely or appropriate manner, or to address security weaknesses in between the incidents, the lawsuit states.
According to the complaint, he only informed patients this January, after some of them found information about the breaches online. The lawsuit alleges he did not provide required notice to the California attorney general's office or the state Health and Human Services Agency.
"Despite knowing that his patients' most private medical data was in the hands of malicious actors, Dr. Schwartz waited almost 10 months to notify them," the complaint states. "Finally, after their nude photos and home addresses began being posted online — accessible to anyone with an internet connection — Dr. Schwartz issued a cursory, vague, and misleading data breach notice."
The lawsuit alleges that the hacks left patients vulnerable to identity theft and caused them severe emotional distress due to the "humiliation, shock, worry and anxiety" of knowing their information and photos could be, or had already been, posted online.
Read more: Cyberattack disrupts hospitals and healthcare in several states
The compensatory and punitive damages that plaintiffs are seeking will likely be in the "tens of millions of dollars," said their attorney, Damion Robinson.
The plaintiffs allege that Schwartz, a prominent plastic surgeon with over 189,000 followers on Instagram and offices in Beverly Hills and Dubai, had ample warning of the need to protect his client's data, but failed to take necessary steps to secure his network.
"Dr. Schwartz and others in the medical field — and in the plastic surgery field specifically — have been warned for years by government agencies and professional organizations that they are targets for hackers who seek sensitive patient data for ransom and extortion," the complaint states.
Over the last few years, hackers have targeted plastic surgery practices because the sensitive data they store can be used to facilitate identity theft, as well as attempt to extort physicians and patients.
Read more: Ransomware gangs shift tactics, making crimes harder to track
In a report published in 2019, the American Medical Assn. noted that 83% of physicians had experienced some form of cyberattack, and characterized cybersecurity as "a patient safety issue.'
According to a report from DataBreaches.net, there were at least 13 publicly reported cyberattacks on plastic surgery practices between 2017 and 2023. In 2023, the FBI issued a public service announcement warning that criminals were targeting plastic surgery offices "to harvest personally identifiable information and sensitive medical records, to include sensitive photographs in some instances."
Hackers have published the personal information of 30 of Schwartz's patients to date, the lawsuit alleges, and are threatening to continue doing so until they receive a ransom.
The lawsuit says that a small number of patients contacted Schwartz after the first hack was reported online, and that he said only a limited number of patients had been affected and other patients' information was secure.
Read more: L.A. Unified cyberattackers demand ransom
After the second data breach in March 2024, the hackers created a public website announcing their actions and sharing patients' photos and data. According to the complaint, Schwartz did not inform his patients until January, when he sent the following message to some of them:
'Our office discovered on June 27, 2024, that an unauthorized third party utilized a third-party vendor's credentials to access the practice's medical billing and practice management system. Upon discovering the incident, we engaged a specialized third-party forensic incident response firm to conduct a forensic investigation and determine the extent of the compromise. The investigation determined that data was acquired without authorization. After electronic discovery, which concluded on January 2, 2025, it was determined that some of your personal information was present in the impacted data set. We then took steps to notify you of the incident as quickly as possible.'
Sign up for Essential California for news, features and recommendations from the L.A. Times and beyond in your inbox six days a week.
This story originally appeared in Los Angeles Times.