American Society of Plastic Surgeons
For Consumers

FBI issues cybersecurity warning to plastic surgery practices
Cybercriminals are targeting plastic surgery offices and patients

The FBI is warning the public about cybercriminals who target plastic surgery practices, surgeons and patients to harvest personally identifiable information, including sensitive medical records and photographs. Once successful, cybercriminals use social engineering techniques to enhance the harvested data and extort individuals for cryptocurrency.

The Scam

Phase 1 – Data Harvesting

Using technology to disguise their phone numbers and email addresses ("spoof"), cybercriminals use phishing techniques to deploy malware to plastic surgery offices. Once successful, cybercriminals harvest electronically protected health information (ePHI), which includes sensitive information and photographs.

Phase 2 – Data Enhancement

Cybercriminals use open-source information to include social media and social engineering techniques to enhance the harvested ePHI data of plastic surgery patients. Cybercriminals use the enhanced data as leverage for extortion in Phase 3 and may use it for other fraud schemes.

Phase 3 - Extortion

Cybercriminals contact plastic surgeons and their patients via social media accounts, emails, text messages or messaging apps, and ask for payment to prevent sharing of their ePHI. To exert pressure on victims for extortion payments, cybercriminals share the sensitive ePHI to victims' friends, family or colleagues, and create public-facing websites with the data. Cybercriminals tell victims they will remove and stop sharing their ePHI only if an extortion payment is made.

Tips to Protect Your Patients and Your Practice

  • Review profile settings in your social media accounts to strengthen privacy. Preferably, make your account private and limit what can be posted by others on your profile.
  • Audit friend lists to ensure they consist of and are visible only to people you know. Only accept friend requests and follows from people you know.
  • Enable two-factor authentication to login.
  • Secure accounts (e-mail, social media, financial, bill pay) by creating unique and complex passwords for login; consider using a password manager to help you remember them.
  • Monitor bank accounts and credit reports for any suspicious activity; consider placing a fraud alert or security freeze on your credit reports to prevent unauthorized access.

And Finally... Report It

The FBI requests victims report these fraudulent or suspicious activities to the FBI IC3 at Be sure to include as much information as possible, including:

  • The name of the person who contacted you.
  • Method of communication used, including websites, emails and telephone numbers.
  • The wallet address(es) or bank account number(s) for extortion payments and recipient name(s), if provided.

For additional information on how to report cryptocurrency addresses connected to fraud, please see the previous Public Service Announcement published on the FBI IC3 website at IC3 | FBI Guidance for Cryptocurrency Scam Victim.

After reporting suspicious activity to the FBI, please also inform ASPS at