Beverly Hills Plastic Surgery Clinic Rocked by Patient Records Heist: "There Is Still Outstanding Stolen Property"

A week after an inside job at a Rodeo Drive reconstructive surgery practice, police are still piecing together clues and searching for stolen materials that compromised private medical and financial information of about 15,000 patients and several stars.

A week after a prominent Beverly Hills plastic surgery practice first reported a massive theft of confidential patient medical records, credit card information, photographs and recordings of patients undergoing surgery, the police have yet to recover all the stolen materials.

"There is still outstanding stolen property," an L..A. County Sheriff's Department detective involved in the investigation tells The Hollywood Reporter.

The theft, which involved some 15,000 patients and included several celebrities, occurred over a period of several months and culminated in a physical break-in, according to a statement issued by Dr. Zain Kadri, who runs Advanced ENT Head & Neck Surgery, a high-end reconstructive surgery practice located on Rodeo Drive.

The problems began when Kadri's office hired someone for the position of a "1099 driver/translator" in September 2016. Shortly after, the statement says, the new hire began "taking inappropriate photographs of patients, both before and during surgery," as well as stealing patient records and credit card information.

Then, sometime during the first week of May, Kadri's practice was burgled, resulting in the loss of patient paper records, contact details and data storage, which has prevented the physicians and law enforcement from alerting his full client roster that their details and private information have been compromised.

The list of those affected spans the globe. So far, patients have been located in 16 states and four countries, including Bulgaria, France and the United Kingdom.

It's not the first time a plastic surgery practice has been victimized. About a month before Kadri's practice went public, a Lithuanian firm called Grozio Chirurgija (which translates as Cosmetic Surgery), reported a massive hack of its databases. The clinic put out a statement indicating that the breach had been perpetrated by a hacking collective called Tsar Team, which is allegedly affiliated with the Russia-backed group Fancy Bear. Some reports have indicated that both Tsar Team and Fancy Bear are covers for APT28, a Russia-backed hacking group with ties to the GRU, or Russian military intelligence. APT28 has been tied to the hack of the Democratic National Convention. In June, roughly around the time of the theft in Beverly Hills, the Lithuanian hackers released a massive dump of some 25,000 stolen images, including "before and after" pictures of patients. The hackers also demanded payment in bitcoin, but the Lithuanian practice refused to pay.

LASD is conducting an active investigation into the Rodeo Drive theft, but a detective says that so far they don't know if more than one individual was involved. However, at least some portion of the data was removed after having been electronically transferred to a "very large hard drive," according to one LASD official.

CBS Los Angeles, which first reported the theft, said that other patients have continued to receive harassing phone calls and emails from at least one alleged perpetrator.

"It's horrifying for patients that these before and after pics would be out there," says Adam Levin, the chairman and founder of CyberScout, a cyber security firm. "Celebrities, high net-worth people — they can be targets for extortion."

Levin and other experts agree that medical practices are increasingly becoming targets of hacks and thefts. Last year, according to the Identity Resource Theft Center — which tracks statistics on data breaches, hacking and identity theft from publicly available sources — reported that 23 percent of all breaches so far this year have been related to health care and medical facilities.

In absolute terms, the number of breaches in the medical and health care industry have increased year-on-year, but since the overall number of breaches across industries have also risen dramatically, the percentages in any given industry have fallen. For example, in 2015, there were 276 medical and health care breaches. In 2016, that number jumped to 376, even as the overall percentage fell. So far this year, the medical and health care sector has recorded 159 breaches, roughly on par with last year. Meanwhile, overall breaches have also increased. In 2016, there were 1,093. As of last week, less than halfway through the year, the number was 724.

"Medical records and personal medical data is very, very rich and very valuable to thieves," says Eva Velasquez, IRTC's CEO. "They can find all kinds of ways to monetize that data."

The theft at Kadri's office represented a unique challenge in that the alleged perpetrator had been, for a time at least, a trusted employee. And experts say there's less that employers and patients can do to prevent exposure when that's the case.

"You can't do much against a trusted employee," says Levin. "That's why it's so important for practices to be monitoring data infiltration and exfiltration. What this illustrates is that breaches have become the third certainty in life, after death and taxes. Everyone has to be prepared."