Cyber Incident Victim: Maxwell Aesthetics
Date:
May 2020
Location:
United States of America
Summary
A ransomware attack by the Maze Team targeted Maxwell Aesthetics, coinciding with its post-COVID-19 reopening. The attackers exfiltrated and publicly dumped unencrypted patient files containing names, dates of birth, diagnostic details, surgical procedures, insurance policy numbers, and specific medical device orders linked to individuals. Filenames incorporated patients’ full names alongside sensitive medical and insurance data, compounding exposure risks that likely triggered HIPAA notification requirements. Operational documents and network information were also compromised. The breach disrupted the practice’s online presence, rendering its website inaccessible during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 1, 2020, Nashville Plastic Surgery Institute, LLC, operating as Maxwell Aesthetics, experienced a ransomware attack by the Maze Team threat group coinciding with its reopening after a COVID-19-related closure. The attackers exfiltrated and publicly dumped unencrypted files containing extensive protected health information (PHI) of patients, including full names, dates of birth, diagnostic details, surgical procedure types, and health insurance policy numbers. Patient data exposure was exacerbated by the clinic’s file-naming convention, which incorporated patients’ full names alongside surgery types, insurance providers, and procedure dates (e.g., "<last name> <first name> <type of surgery> <name of insurance company> <month> <year>"). Maze Team further disclosed sensitive clinical documents, such as medical histories justifying surgeries, insurer authorization requests, and orders for patient-specific surgical implants or extenders. Operational files detailing business functions and network infrastructure were also compromised. The attack mirrored a contemporaneous ransomware incident targeting Dr. Kristin Tarbet’s plastic surgery center in Bellevue, Washington, suggesting a possible coordinated campaign against the sector or an attack on a shared vendor, though no specific business associate was identified.
The breach necessitated HIPAA-mandated notifications due to the exposure of identifiable health data, with filenames alone constituting a reportable disclosure risk. Exfiltrated clinical records revealed sensitive details beyond administrative data, including medical rationales for procedures and insurance correspondence. Immediate operational impacts included the unavailability of Maxwell Aesthetics’ website at the time of reporting, hindering external communications and recovery efforts. DataBreaches.net noted unsuccessful attempts to contact the clinic for verification. Maze Team’s data dump tactics amplified reputational and regulatory risks, as the publication of surgical authorizations and implant orders exposed proprietary processes and patient care specifics. The incident occurred during a critical operational period as the clinic resumed services post-pandemic shutdown, compounding disruption. No containment actions or forensic details were disclosed in available sources.