#Privacy: Threat actors demand ransom from surgical company

Threat actors are individually threatening patients of a hacked surgical company and demanding money in return for not exposing their personal information. 

In November last year, The Center for Facial Restoration, Inc. (TCFFR), was struck by a cyber attack. 

Plastic surgeon and company founder, Dr. Richard Davis wrote in a statement on the TCFFR website, that he had received an anonymous communication from threat actors on November 8, 2019 stating that the clinic’s server was breached. 

The hackers claimed to have “the complete patient’s data” for TCFFR that ‘can be publicly exposed or traded to third parties.’”

In addition to Davis receiving a ransom demand for an undisclosed ransom, threat actors began demanding ransoms from individual TCFFR patients. 

“They demanded a ransom negotiation, and as of November 29, 2019, about 15-20 patients have since contacted TCFFR to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met.”

It is believed that the personally identifiable information (PII) of nearly 3,500 former or current patients may have been affected by the attack. Compromised data include home addresses, email addresses, driving licenses, passports, phone numbers, patient photographs and credit card payment receipts. 

The attack was reported to the FBI’s Cyber Crimes Center on November 12, to which two days later Davis went and met with the Bureau “where they recorded detailed information regarding the cyberattack and ransom demands.”

“The investigation is currently ongoing. The FBI requests that patients receiving ransom demands file an independent cybercrime complaint online at www.ic3.gov,” wrote Davis. 

Upon the discovery of the attack, Davis has since installed new hard drives, viral/malware detection software and firewalls to prevent future cyber attacks from occurring.

“But no system is foolproof, and even the United States government with all its resources has been victimized repeatedly.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/