Cyber Incident Victim: The Center for Facial Restoration
Date:
Nov 2019
Location:
United States of America
Summary
A Florida-based facial surgery practice experienced a server breach compromising sensitive patient information, including identification documents, contact details, photographs, and payment records. Cybercriminals initially demanded ransom from the clinic before directly extorting individual patients by threatening public release of their stolen data, with approximately 15–20 victims reporting such threats and up to 3,500 potentially affected. The incident was reported to the FBI, which initiated an ongoing investigation and advised targeted patients to file complaints. Following the attack, the clinic implemented enhanced security measures such as new hardware, firewalls, and malware detection systems, while publicly acknowledging challenges in notifying patients due to reliance on scanned paper intake forms rather than structured digital records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 8, 2019, Dr. Richard Davis, founder of The Center for Facial Restoration (TCFFR) in Miramar, Florida, received an anonymous communication from cybercriminals claiming they had breached the clinic’s servers. The attackers asserted possession of complete patient data, threatening to publicly expose or sell the information unless unspecified ransom demands were met. Initial demands targeted the business itself, but the criminals subsequently escalated their campaign by directly contacting patients. By November 29, 2019, approximately 15–20 patients had reported receiving individual ransom threats, which warned of public release of their photos and personal information unless payments were made. Dr. Davis estimated up to 3,500 current and former patients could be impacted by the breach. Compromised data included government-issued identification documents such as driver’s licenses and passports, home addresses, email addresses, phone numbers, clinical photographs, and credit card payment receipts. The attackers leveraged stolen patient intake questionnaires containing this sensitive information, which had been stored as scanned documents rather than in a structured electronic database.
Dr. Davis reported the incident to the FBI’s Cyber Crimes Center on November 12, 2019, and provided detailed attack information during an in-person meeting with the Bureau on November 14. The FBI’s investigation remained ongoing at the time of TCFFR’s public statement, with patients urged to file independent complaints via the Internet Crime Complaint Center (IC3.gov). In response to the breach, TCFFR implemented new security measures including replacement of hard drives, installation of upgraded firewalls, and deployment of enhanced virus and malware detection software. Dr. Davis issued a public apology on the clinic’s website, expressing distress over the criminal intrusion and acknowledging challenges in directly notifying affected patients due to the paper-based storage of personal information. The public notice served as the primary communication method to alert patients about the incident and ransom threats, as the lack of a digital patient contact database hindered individual outreach efforts.