The major data breach of Dr. Gary Motykie, a popular Beverly Hills plastic surgeon, led to sensitive information being posted on a public website, along with what appears to be very private images of the doctor himself.
According to a report filed with the LA County Sheriff’s Department, Motykie received an extortion threat in May. The crooks allegedly demanded he pay two and half million dollars to prevent the patient data, and his own, from going public.
By early June, someone posted data of 36 patients online. Now, personal details and pictures of more than 70 patients are on the site, and there’s concern among patients that more could be posted at any moment.
“I mean, this is just heinous,” said patient Elaina Shaffy as she looked at the website.
Get top local stories in Southern California delivered to you every morning. >Sign up for NBC LA's News Headlines newsletter.
Shaffy first learned her private information was made very public from another patient of Dr. Motykie’s.
“One of the women that had their information compromised on the website contacted me and said, ‘My god, my god, how much did you pay to have your stuff removed?’’’ said Shaffy, unaware of what the woman was talking about. “I had absolutely no idea.”
Shaffy logged onto the website and found her picture, taken at the doctor’s office, along with her name, phone number and email address. Since she had nasal surgery, the picture posted is of her face, but many of the other images include patients’ breasts along with their names, birthdates, phone numbers, email addresses, and links to their medical records and financial information.
Some are known social media influencers, and each week the hacker has added more patients to the site. There are now more than 70 women exposed.
“Not only have they compromised your financial, your personal, and then they’re seeing you in these vulnerable, horrible pictures. Who wants anyone to see those photos?” said Shaffy.
Shaffy has now filed a lawsuit claiming negligence and intentional infliction of emotional distress.
The suit alleges the doctor was careless in “storing extremely private patient information” in a way that “third parties were able to access it, post it on the internet and then seek to extort money from Motykie and Motykie’s patients,” and notes, “if all this were not enough, defendants also stored extremely disturbing pornographic homemade videos filmed of Dr. Motykie pleasuring himself.”
Videos and images of what appear to be the doctor are posted at the top of the hacker’s website, right above all the patients’ data.
“Wow it’s shocking, it’s shocking,” said Shaffy.
After learning of the site’s existence, Shaffy searched her junk mail and found the hacker had reached out to her and other patients on June 8, 2023 about the breach and ransom demand.
She says she immediately emailed the hacker, and what she learned surprised her. “Somebody had paid a great deal of money to have my profile removed,” said Shaffy
Her picture was also the only one not linked to her medical record and financial information. It is unclear who paid.
Shaffy says she emailed the hacker, offering to also pay for her medical record. But the hacker told Shaffy her data was purged and instead offered her the chance to purchase all the other records on the site for $800,000 dollars, to which she declined.
When asked what this tells her about her doctor’s cybersecurity, Shaffy responded, “It just tells me that he was so reckless and that he just did not care about anyone.”
That’s what she claims in her lawsuit: “…the failure to take adequate steps to secure such highly sensitive patient material was more than negligent, it was reckless…”
“There is a trend toward criminals going down market, towards clinics and smaller organizations that are known to be less protected,” said Michael Hamilton, co-founder of Critical Insight.
Hamilton is an information security specialist and consultant with expertise in health care cybersecurity. The I-Team reached out for his assessment of this case.
“This one is a little different,” said Hamilton.
He says the data dump of patient records combined with what appears to be very private pictures and videos of Dr. Motykie is unusual.
“The first question that comes to mind is why these things were mixed up,” said Hamilton. “There are multiple regulators that get involved now.”
The I-Team reached out to Dr. Motykie for an on-camera interview, but he declined. Instead he sent a statement saying he cannot comment on pending litigation, but he did confirm the data breach, stating in part: “the third-party responsible for this situation has made demands for money in exchange for information to be deleted. We and law enforcement cannot guarantee that any payment will result in information being deleted or used in any way in the future. … we continue to work very closely with law enforcement.”
Michael Hamilton offered advice for patients whose data was breached.
“A lot of weirdos are out there and your information is now public. If you start getting advances from people that seem weird, you should report that sooner rather than later.”
Shaffy says she and other patients she’s spoken with are haunted by this breach.
“Who else has our information? Did they sell it to somebody else? Is it going to be on some other website we don’t even know about? “
The LA County Sheriff’s Department is investigating, along with the FBI. The detective assigned to the case emailed patients whose data was breached, explaining he was unsuccessful in taking down the website. He told patients, “It is being operated out of Russia.”
The detective also said Dr. Motykie would be offering patients a two-year subscription for identity theft protection. The patients who spoke with the I-Team say that is not nearly enough.
Full statement of Gary Motykie:
Any alleged data security incidents are investigated, and appropriate steps are taken. We do not provide any public information about any alleged incidents until we have what we believe to be accurate and complete information, and we cannot speak to any pending litigation and ongoing law enforcement involvement.
We can confirm, however, that the third-party responsible for this situation has made demands for money in exchange for information to be deleted. We and law enforcement cannot guarantee that any payment will result in information being deleted or used in any way in the future. We have no control over what the third party is doing or other persons who are attempting to spread misinformation concerning this matter or taking steps to put the investigation and individuals in difficult situations. However, we are working with the investigation team and are taking recommended steps. We continue to be in communication with individuals who may be impacted.
We are committed to addressing this situation and we continue to work very closely with law enforcement, as law enforcement is also investigating other incidents similar to this matter.