Plastic Surgery Office Tried to Save Face After Cyber Attack

2021
cyber attack

RISKS

What happened:

JEV Plastic Surgery & Medical Aesthetics notified 1,620 patients in November 2021 about a security breach that has exposed some of their protected health information (PHI).

Through an investigation into a data privacy event involving a malware infection that impacted its computer systems and caused a temporary disruption to services, JEV Plastic Surgery learned that an unauthorized actor accessed its systems and may have viewed or acquired certain patient information between April 30, 2021 and June 14, 2021. JEV Plastic Surgery conducted a thorough review of the data that was potentially viewed or acquired to determine whether it contained any sensitive information and identify affected patients and concluded its review around September 8, 2021.

The types of personal and/or medical information that may have been accessible by the unauthorized actor included: consultation notes, medical history, surgical operative notes, date of birth, and name. JEV Plastic Surgery stated that it’s reviewing existing policies and procedures and implementing internal training protocols to mitigate any risks associated with this event and to better prevent future events.


Why is this important?

Personal health information (PHI) is highly sensitive and highly in demand, with cyber criminals willing to pay up to $1,000 for each medical record, so protecting this data is more important than ever.


What does this mean to me?

Your organization’s most sensitive data also requires the most security controls to protect that data and promptly detect when attempts are made to access it. Often the end user systems are the initial target vector for malware. Protecting the end user systems and their email should be a priority. Malware detection should be deployed at all vectors including email, endpoint, and the network. Web Application Firewalls should be considered for vulnerable web applications.


Helpful Controls

Email Security
Web Application Firewalls (WAF)
Endpoint Detection and Response (EDR)
Managed Detection and Response (MDR)
Extended Detection And Response (XDR)


Commonality of attack

High


Article on story

RE: JEV Plastic Surgery & Medical Aesthetics – Notice of Data Privacy Event