Patients of a U.S. plastic surgeon have filed a class-action lawsuit, accusing the doctor of concealing a data breach. According to the plaintiffs, Dr. Jamie Schwartz was targeted by hackers on two separate occasions but failed to inform his patients of the incidents. As a result, sensitive personal data—including explicit photographs taken during surgery—was leaked online.
The lawsuit alleges that the surgeon neglected to safeguard medical information in accordance with industry security standards and provided misleading details about the scope of the initial cyberattack. Schwartz reportedly refused to pay the ransom demanded by the hackers, despite their threats to expose the stolen data.
The first breach occurred in October 2023, when the hacker group Hunter International claimed to have infiltrated the clinic’s database. According to the lawsuit, cybercriminals exfiltrated 1.1 terabytes of data, comprising 248,245 files, including patient photographs. In November, the hackers demanded payment and, upon refusal, began publishing compromising images to escalate pressure on the doctor.
In the spring of 2024, the clinic suffered a second attack, leading to the complete compromise of its patient database. However, the plaintiffs claim that Schwartz failed to implement adequate security measures and neglected to notify the victims. For ten months, patients remained unaware of the breach—until hackers began contacting them directly, offering to “resolve the issue” in exchange for money.
An investigation revealed that the clinic lacked robust cybersecurity protocols: modern antivirus software was not in place, network traffic was not monitored, and staff had not been trained in phishing attack prevention. Additionally, third-party contractors had access to the system without undergoing proper security vetting.
The American Medical Association had already reported in 2019 that 83% of physicians in the United States had encountered cyberattacks. In recent years, plastic surgeons have become particularly high-value targets, as their records contain not only medical and financial data but also highly personal photographs taken during treatment.
The FBI has repeatedly warned of a surge in cyberattacks targeting plastic surgeons and urged medical institutions to strengthen their security infrastructure. However, according to the lawsuit, Schwartz ignored these warnings and failed to take the necessary precautions to prevent the breaches.
The plaintiffs are seeking up to $3,000 per violation, bringing the total damages to more than $5 million. Additionally, they have demanded a jury trial. As of now, representatives of the clinic have not issued any public statements regarding the case.
