Cyber Incident Victim: AZ Plastic Surgery Center
Date:
Dec 2018
Location:
United States of America
Summary
A plastic surgery center in Arizona was targeted by thedarkoverlord hacking group, which breached its network and accessed sensitive patient data including names, addresses, medical records, and identification documents. The attackers attempted to extort the practice, threatening to release compromising pre-operative photos and patient details, particularly targeting celebrity clients. The center refused payment demands and reported the incident to law enforcement, federal health authorities, and affected individuals. Exfiltrated data included identifiable patient photos linked to names and extensive medical dictations, with the hackers subsequently leaking a sample archive containing hundreds of files. Approximately 5,500 patients were notified about potential exposure of their information, though no misuse was confirmed at the time of disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 10, 2018, AZ Plastic Surgery Center, a Scottsdale-based practice owned by Dr. Robert Spies, discovered unauthorized access to its computer network by cybercriminals identified elsewhere as thedarkoverlord (TDO). The practice immediately engaged law enforcement, including the FBI, and initiated a forensic investigation with cybersecurity experts. The analysis confirmed attackers potentially accessed documents containing patients’ personal and medical information, including names, addresses, dates of birth, procedure notes, diagnoses, medications, and health insurance numbers. A subset of records exposed more sensitive data: Social Security numbers, driver’s license or passport numbers, credit card or financial account details, and pre-operative photos for a limited number of patients. Prior to the official notification, TDO had publicly claimed responsibility on the KickAss forum, sharing a 531.8 MB sample archive of stolen data after the practice refused their extortion demands. The archive contained three folders: "Dictations" (75 files), "Photos" (over 160 images), and "Patient ID Verification" (4 files), with metadata indicating the most recent files were created on December 5, 2018, documenting services from November 28, 2018.
The attackers’ released data posed significant identification risks, as many photos depicted patients’ faces or used filenames combining first initials and last names. TDO’s public post taunted Dr. Spies for rejecting their "handsome proposition," suggesting parallels to their prior London Bridge Plastic Surgery Center breach, where celebrity patient data was likely targeted for extortion. While no direct evidence confirmed TDO contacted patients privately, the archive’s content implied potential coercion leveraging sensitive before-and-after surgery imagery. AZ Plastic Surgery Center formally notified 5,524 affected individuals and reported the breach to the U.S. Department of Health and Human Services (HHS), emphasizing no evidence of data misuse at the time of disclosure. The practice maintained transparency by publishing an incident summary on its website, though it omitted explicit attribution to TDO. Forensic efforts focused on securing systems and assessing exposure scope, with law enforcement actively investigating the extortion attempt.