Long Island Plastic Surgical Group Settles $2.6M Class Action Over BlackCat Ransomware Attack
In January 2024, Long Island Plastic Surgical Group (LIPG), a private academic plastic surgery practice based in Garden City, New York, fell victim to a ransomware attack by the BlackCat (ALPHV) group. Between January 4 and January 8, hackers infiltrated LIPG’s network, exfiltrated sensitive data, and deployed ransomware to encrypt files. The stolen data included personal and medical information of over 161,000 current and former patients, such as names, Social Security numbers, driver’s license details, biometric data, financial information, medical records, and patient photographs.
The BlackCat group demanded a ransom to prevent the public release of the stolen data on its dark web leak site. LIPG opted to pay the ransom and received confirmation that the data had been deleted. However, the breach led to seven class action lawsuits, which were later consolidated into a single case. The plaintiffs alleged negligence, breach of contract, and violations of New York consumer protection laws, claiming harm from the exposure of their sensitive information.
In October 2024, LIPG notified affected individuals by mail. The case was resolved in a $2.6 million settlement, with funds allocated for legal fees, administrative costs, and compensation for class members. Affected patients may claim up to $5,000 for documented losses or opt for a pro rata cash payment. Those whose clinical photographs were compromised may receive an additional payment of up to $1,000. The settlement deadlines for objections, exclusions, and claims are set for May 2026, with final approval scheduled for June 2, 2026.
The incident underscores the persistent threat of ransomware in healthcare, where attackers target sensitive patient data for financial gain. It also highlights the legal and financial repercussions of data breaches, as well as the importance of robust cybersecurity measures, workforce training, and compliance with HIPAA regulations to mitigate risks.
Source: https://www.hipaajournal.com/long-island-plastic-surgical-group-ransomware-attack-settlement/
New York Plastic Surgical Group cybersecurity rating report: https://www.rankiteo.com/company/lipsg
"id": "LIP1773397519",
"linkid": "lipsg",
"type": "Ransomware",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '161,000',
'industry': 'Healthcare',
'location': 'Garden City, New York',
'name': 'Long Island Plastic Surgical Group (LIPG)',
'type': 'Private academic plastic surgery practice'}],
'attack_vector': 'Unknown',
'customer_advisories': 'Notification by mail to affected individuals in '
'October 2024',
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '161,000',
'personally_identifiable_information': ['Names',
'Social Security '
'numbers',
'Driver’s license '
'details',
'Biometric data',
'Financial '
'information',
'Medical records',
'Patient photographs'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal information',
'Medical information']},
'date_detected': '2024-01-04',
'date_publicly_disclosed': '2024-10-01',
'description': 'In January 2024, Long Island Plastic Surgical Group (LIPG) '
'fell victim to a ransomware attack by the BlackCat (ALPHV) '
'group. Between January 4 and January 8, hackers infiltrated '
'LIPG’s network, exfiltrated sensitive data, and deployed '
'ransomware to encrypt files. The stolen data included '
'personal and medical information of over 161,000 current and '
'former patients, such as names, Social Security numbers, '
'driver’s license details, biometric data, financial '
'information, medical records, and patient photographs. The '
'breach led to seven class action lawsuits, which were later '
'consolidated into a single case, resulting in a $2.6 million '
'settlement.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Personal and medical information of over '
'161,000 patients',
'financial_loss': '$2,600,000',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Class action lawsuits, violations of New '
'York consumer protection laws',
'payment_information_risk': 'Yes'},
'lessons_learned': 'The incident underscores the persistent threat of '
'ransomware in healthcare, where attackers target '
'sensitive patient data for financial gain. It also '
'highlights the legal and financial repercussions of data '
'breaches, as well as the importance of robust '
'cybersecurity measures, workforce training, and '
'compliance with HIPAA regulations to mitigate risks.',
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_paid': 'Yes',
'ransomware_strain': 'BlackCat (ALPHV)'},
'references': [{'source': 'Cyber Incident Description'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuits, violations '
'of New York consumer protection '
'laws',
'regulations_violated': ['HIPAA']},
'response': {'communication_strategy': 'Notification by mail to affected '
'individuals'},
'threat_actor': 'BlackCat (ALPHV)',
'title': 'Long Island Plastic Surgical Group BlackCat Ransomware Attack',
'type': 'Ransomware'}