Cyber Incident Victim: Dr. Kristin Tarbet's Plastic Surgery Center
Date:
May 2020
Location:
United States of America
Summary
The Maze ransomware group breached a plastic surgery practice, exfiltrating sensitive patient and corporate data despite previously declaring a moratorium on targeting healthcare entities. The attackers leaked extensive protected health information including patient names, birth dates, medical histories, treatment details, insurance records, contact information, and some Social Security numbers, alongside critical financial system credentials. The compromised data spanned multiple files containing clinical measurements, appointment logs, and payment processing passwords, potentially affecting thousands of individuals. This incident demonstrated the exposure of highly sensitive medical records and operational vulnerabilities within the practice's systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 1, 2020, the Maze Team ransomware group conducted a cyberattack against Dr. Kristin Tarbet’s Plastic Surgery Center, a Bellevue, Washington-based medical practice specializing in eye and facial procedures. This attack occurred despite Maze Team’s prior public declaration of a moratorium on targeting healthcare entities during the COVID-19 pandemic. The attackers exfiltrated and subsequently dumped numerous files containing sensitive data as proof of their compromise. Evidence of the breach first appeared through Maze Team’s disclosures, as the surgery center’s public website displayed no visible indications of disruption or notification about the incident at the time of reporting.
The compromised data included multiple categories of protected health information and corporate records. A patient appointments spreadsheet contained approximately 39,000 entries with first and last names, dates of birth, appointment details, purposes, durations, and comments. Additional spreadsheets exposed patients’ email addresses, home and mobile phone numbers, physical addresses, Social Security numbers for some individuals, insurance information, and specific medical data including diagnostic codes, treatment codes, complaints, allergies, medications, vital signs (height, weight, blood pressure, respiration rate), and clinical notes. Maze Team also leaked files containing corporate credentials, including passwords for QuickBooks and the practice’s wireless merchant credit card account. Based on the patient file analysis, the breach potentially affected at least 22,000 individuals, though duplicate entries in appointment records suggested the actual patient count could differ. DataBreaches.net attempted to contact Dr. Tarbet for comment but received no response by the article’s publication date of May 5, 2020. The attackers’ data dump demonstrated access to extensive PHI, raising concerns about further escalations such as the potential exposure of insurance details, credit card information, or identifiable patient surgical photographs.