plastic surgeon working on face

Nude “before and after” photos stolen from plastic surgeon, posted online, and sent to victims’ family and friends

The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon’s office, and then post the details online which included nude photos.

In February, cybercriminals gained access to Hankins & Sohn’s network, which has offices in both Henderson and Las Vegas. From there, the cybercriminals were able to download patient information.

The practice sent a letter to patients in March and April notifying them of the breach.

“On or about February 23, 2023, Hankins & Sohn became aware of suspicious activity relating allegations by an unknown actor that data was stolen from our network. We quickly took steps to investigate the validity of the claims and to assess the nature and scope of the activity and what information may have been affected. We are also working with law enforcement to investigate the activity. We learned that files were taken by the unknown actor prior to this date.”

Apparently, the cybercriminals didn’t get what they wanted from Hankins & Sohn and started posting the information online. Several patients and court documents say that the stolen data included sensitive personal information, such as names and Social Security numbers, but also nude photos of patients taken before and after surgery.

They cybercriminals didn’t stop at that. They sent the data, along with the nude photos, to family and friends through patients’ email accounts.

According to 8NewsNow, about a dozen women have since filed a lawsuit against the firm, claiming they did not do enough to protect their private and personal information. None of the documents posted online were encrypted. It was unclear Monday if Hankins & Sohn was storing its data per HIPAA rules. A spokesperson for the office that oversees HIPAA-related investigations declined to comment.

HIPAA is short for Health Insurance Portability and Accountability Act. HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The victims claim that the Hankins and Sohn failed to implement adequate and reasonable cybersecurity procedures and protocols to protect their Personally Identifiable Information (PII) and Protected health information (PHI).

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.