Cyber Incident Victim: Nashville Plastic Surgery Institute
Date:
May 2020
Location:
United States of America
Summary
A ransomware attack by Maze Team targeted Maxwell Aesthetics coinciding with its post-pandemic reopening, resulting in data exfiltration and public exposure of sensitive patient information. Compromised files included full names, dates of birth, surgical details, insurance policy numbers, medical histories, authorization requests, implant orders, and business operational documents. The breach also revealed network structure details, while the attackers employed a consistent naming convention incorporating patient identifiers in filenames. The incident occurred simultaneously with another ransomware attack on a separate plastic surgery practice, suggesting potential targeting of a shared vendor or business associate.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 1, 2020, Nashville Plastic Surgery Institute, LLC, operating as Maxwell Aesthetics, experienced a ransomware attack attributed to the Maze Team threat actor group. The incident coincided with the practice’s reopening following a COVID-19-related shutdown. Attackers exfiltrated and publicly dumped unencrypted files containing sensitive patient information, including full names, dates of birth, diagnostic details, surgical procedure types, and health insurance policy numbers. The compromised data extended to clinical authorization requests to insurers, implant/extender orders for specific patients, and internal business operation documents. Filenames followed a structured format incorporating patients’ full names alongside surgery types and insurance providers, creating additional exposure risks independent of file contents.
The data leak exposed detailed medical histories justifying surgical procedures and insurance pre-authorizations, significantly elevating privacy concerns. Maze Team employed tactics consistent with their prior attacks on medical providers, having simultaneously targeted another plastic surgery practice in Bellevue, Washington. Maxwell Aesthetics’ website became inaccessible following the attack, disrupting operations during a critical reopening phase. While the parallel timing suggested potential targeting of a shared vendor or business associate, no conclusive evidence confirmed this hypothesis. The incident triggered potential HIPAA violation concerns due to the exposed protected health information, though the entity’s specific containment or remediation actions remained undocumented in available reports.