The FBI has issued an official warning that particular extortion groups are targeting plastic surgery offices.
In a type of photo blackmail scheme, extortionists are using infiltrating malware to obtain personal information, and, of course – money payouts.
Let’s take a look at why plastic surgery offices have become a recurring target and what you can do as both a healthcare clinic – and a patient – to keep yourself safe.
Specifics of the FBI Warning to Plastic Surgery Offices
According to the FBI warning, cybercriminals have been found repeatedly using spoofed emails and phone numbers to target plastic surgery offices across the United States. The technique is to use phishing attacks to spread malware. Extortionists then steal data from compromised systems after gaining access to plastic surgery office networks via email or phone. The final move is to extort surgeons and patients through blackmail.
Why Are Plastic Surgery Offices Being Targeted?
Documents stolen in these breaches can contain very sensitive data, including personally identifiable information, sensitive medical records, and, in some cases, even intimate photographs taken for medical purposes.
After obtaining this data, criminals add more information to the harvested electronic protected health information (ePHI) using open-source information, such as social media details, to make their extortion attempts more convincing.
The next step is for extortionists to reach out to patients and plastic surgeons through emails, phone, social media, and text messages and threaten to share sensitive ePHI unless the target completes the cryptocurrency payment demand.
In some cases, criminals will even share sensitive data with victims’ family, friends, colleagues, or public-facing websites to further threaten them into payment action.
The attackers promise that they will stop sharing ePHI after receiving the demanded extortion payment.
How to Protect Your Healthcare Office from Extortion Attempts
Both healthcare offices and patients should take the following steps to ensure privacy and avoid extortion attempts on their personal information and patient data.
- Never share information over the phone. If someone calls and requests an email address over the phone or any other form of personal identification, never give information over the phone without verifying the caller.
- Make your social media profiles private. Select maximum privacy settings on all social media accounts to prevent non-friends from monitoring online activity without authorization.
- Regularly audit social media friends lists – whether it’s your business or personal account – go through your friends list, and unfriend any name that you do not recognize.
- Create strong and complex passwords for all accounts, including email, social media, financial, and bill payment platforms. Also, consider using a password manager to easily remember all of your passwords and to securely store them.
- Closely and regularly monitor bank and credit statements for fraudulent activity. If possible, set up credit report fraud alerts or security freezes to slow attempts at unauthorized access.
IT Services for Healthcare Clinics
With an experienced history of providing IT services for healthcare clinics in the Greater Phoenix Area, we intimately understand the pressures of patient privacy at PK Tech. With extensive knowledge of HIPAA, we will help your clinic stay in compliance and protect your dedicated patient base.
Get in touch with the PK Tech team today if your clinic is looking to prioritize your cybersecurity in 2024.