The Federal Bureau of Investigation (FBI) warns that cybercriminals and online blackmailers are targeting plastic surgeons to harvest electronically protected health information (ePHI) on their patients. Personal ePHI includes sensitive information and photographs, enabling the cybercriminals to extort money from the patients themselves as well as from plastic surgery practices, something that could prove lucrative to blackmailers targeting wealthy celebrities who are in the public eye.
According to the FBI: “Cybercriminals are using technology to disguise their phone numbers and email addresses (“spoof”), cybercriminals use phishing to deploy malware to plastic surgery offices.”
A phishing attack is aimed at conning the recipient of an email appearing to come from a trusted source to open an innocent-looking link or document which then surreptitiously delivers its payload in the form of malware designed to harvest ePHI. Cybercriminals’ adoption of AI services such as Chat GPT and its Darknet counterpart FraudGPT have made this type of attack far more effective and far easier to execute. AI is able to trawl through endless websites and social networks to build a detailed profile of a target employee and their contacts in a tiny fraction of the time it would a team of humans. This can be then used by AI to craft a convincing-sounding message appearing to come from a close friend, a relative, or a trusted colleague. All the unsuspecting target need do is click on an important or amusing-looking link and the cybercriminals are able to harvest all the data they want.
The FBI also reports that the cybercriminals are using a technique recently adopted by ransomware gangs that involves exposing sensitive data even before the victim has had a chance to pay up.
“To exert pressure on victims for extortion payments, cybercriminals share the sensitive ePHI to victims’ friends, family, or colleagues, and create public-facing websites with the data. Cybercriminals tell victims they will remove and stop sharing their ePHI only if an extortion payment is made,” says the FBI.
The healthcare sector faces a new cyber threat
The FBI’s warning to plastic surgeons comes at a time when the health sector is coming under attack on a number of fronts. The US Health Sector Cybersecurity Coordinator Center has recently also issued a stark warning note about a new threat, NoEscape ransomware. The ransomware group emerged in May 2023 and is believed to be a rebrand of Avaddon, a now-defunct ransomware group. But the unknown developers of NoEscape ransomware claim not to have simply tweaked and repackaged existing ransomware, but to have designed a whole new threat.
“The unknown developers of this ransomware claim that in lieu of using source code or leaks from other established ransomware families, they have constructed their malware and its associated infrastructure entirely from scratch,” says the note.
“Using unique features and aggressive multi-extortion tactics, in just under a year, it has targeted multiple industries, including the Healthcare and Public Health (HPH) sector. Their recent activities highlight the prominence and influence they have as a Ransomware-as-a-Service (RaaS) group,” adds Health Sector Cybersecurity Coordinator Center.
As ransomware gangs generally employ phishing techniques to send bogus emails, potential victims are urged that in addition to tightening standard security practices, they urgently review profile settings in their social media accounts. The FBI also recommends considering placing a fraud alert or security freeze on your credit reports to prevent unauthorized access.
