A Las Vegas-based plastic surgery practice, Hankins & Sohn Plastic Surgery Associates, is currently entangled in a federal class-action lawsuit after falling victim to a cyberattack that resulted in the unauthorized exposure of private patient information, including photographs. Plaintiff Jennifer Tausinga initiated the lawsuit this spring, representing herself and others similarly affected.
The legal proceedings took a significant turn on September 15 when two additional named plaintiffs joined, and an amended complaint was filed in federal court. The amended complaint emphasizes the “harm resulting from a data and privacy breach,” highlighting concerns related to identity theft and financial fraud.
The lawsuit alleges that the cyberattack occurred around February 23, during which Hankins & Sohn’s data was “exfiltrated by a threat actor” from the healthcare provider’s computer network. The patients affected by the breach were subsequently informed, with notifications beginning on or around March 14.
According to the complaint, the data compromised in the breach encompassed a broad range of sensitive information, including patient names, contact details, dates of birth, Social Security Numbers, driver’s license information, medical history, consultation notes, and even patient photos.
The plaintiffs assert that the breach was a direct result of the defendant’s failure to implement adequate and reasonable cybersecurity procedures and protocols, ultimately placing the personal data of patients into the hands of cybercriminals with nefarious intent.
Plaintiff Jennifer Tausinga shared her harrowing experience in the complaint. She reported that, on March 28, she received a threatening message from one of the hackers via a texting app, demanding a ransom payment under the threat of exposing her information. Refusing to comply, the threat actor subsequently shared her consultation photos with friends, colleagues, and neighbors. Tausinga has since endured extortion and significant emotional distress due to the release of her sensitive data, all while remaining at heightened risk of fraud and identity theft for the foreseeable future.
Other plaintiffs detailed their experiences with the threat actors, which included leaked personal information, birth dates, email addresses, and phone numbers, along with extortion attempts involving pre-and-post operation photos.
