The Hack of a London-Based Plastic Surgeon Provides a Chilling Warning About Medical Data Security

Security News ThreatsCybercrime Uncategorized
491119888Medical data can be frighteningly insecure.


In an age of almost daily data breaches, it’s not always the massive, Equifax-level incidents that are the most worrisome. Earlier this week, news broke that a hacker group known as the Dark Overlord had compromised London Bridge Plastic Surgery, a business that serves a wide clientele including, supposedly, some royals. As the Daily Beast’s Joseph Cox reports, the group appears to have “stolen a bevy of photos, including of in-progress genitalia and breast enhancement.” It’s a hack that speaks to the profound fragility of data today, and one that reminds us just how vulnerable our most sensitive information can be.

In addition to emailing the Daily Beast from a LBPS account, the Dark Overlord sent the publication graphic examples of the kind of information it had stolen. Though he doesn’t describe the photographs in detail, Cox writes, “Many are highly graphic and close-up, showing surgery on male and female genitalia. Others show apparent patients’ bodies post-operation, and some include faces.”


The Dark Overlord is likely best known for leaking 10 then-unreleased episodes of Orange Is the New Black in April. As Slate’s David Canfield wrote at the time, the group claimed to possess “another three dozen additional series and films.”

Attempting to extort media companies has helped raise the Dark Overlord’s profile (and, presumably, lined its coffers on occassion), but it also has a history of exploiting sensitive medical information. As Motherboard reported earlier this year, “The Dark Overlord first appeared in June of [2016], when they advertised hundreds of thousands of alleged records from several U.S. health care organizations on a dark web marketplace.” Similar attacks by the group followed, including a massive breach of health insurance records as well as data from an orthopedic clinic and a cancer service.

This focus matters in part because medical information can be extremely valuable. In an article on the group’s prolific extortion efforts, McClatchy’s Tim Johnson notes, “While credit cards can be canceled, medical records are largely immutable and provide family history, medications, billing information, medical diagnoses, sexual history and further details.” As Johnson writes, those packages “can sell for hundreds of dollars each,” making them far more valuable than Social Security or credit card numbers.

This trend demonstrates the increasing importance of medical data security. A handful of recent high-profile ransomware attacks have shut down hospitals around the world, creating urgent crises of care. While those disruptions all but demand a response, if only to save lives, more quotidian data breaches play out in a gray zone. As Josephine Wolff has argued in Future Tense, giving in to extortion demands may simply embolden hackers, especially when there’s no guarantee that they won’t subsequently release the data once they’ve received payment.

That’s all the more true with the Dark Overlord, a group that has proven itself to be methodologically ruthless. As the Wall Street Journal reports, the Dark Overlord released its cache of illegally obtained Orange Is the New Black episodes when Netflix refused to pay up after the hacked sound-mixing studio provided payment. This tendency appears to go hand in hand with its hunger for media attention: All indications suggest that it is interested in both making money through its exploits and making a name for itself from them.

All of this shows why the London Bridge Plastic Surgery hack may be so worrisome. For many, cosmetic surgery is already an overdetermined source of shame. Patients may opt for surgery in the first place because something about their bodies troubles them. Simultaneously, many still malign many of those who choose to undergo procedures, meaning that patients often lose out either way. Given that the Dark Overlord has previously targeted individuals with death threats—and that it allegedly has personally identifying information from the LBPS hack—it is almost inevitable that it will find new and more awful ways to exploit this data.

In the months and years ahead, medical information security will likely become an even more pressing issue. It’s a struggle that will play out on many fronts. For example, law and bioethics scholar Sharona Hoffman warns that companies could circumvent existing regulations to predictively evaluate the future fitness of potential employees. Cybercrime, in other words, is just one piece of the problem. Nevertheless, the Dark Overlord’s latest attack provides a chilling indication of just how far we have to go if we hope to protect our medical privacy.