Long Island Plastic Surgical Group settles after BlackCat ransomware breach

A New York plastic surgery practice has agreed to resolve litigation tied to a ransomware attack that exposed sensitive patient data.

What happened

Long Island Plastic Surgical Group, P.C., a Garden City, New York-based plastic surgery practice, has agreed to a $2.6 million settlement to resolve a consolidated class action lawsuit stemming from a January 4, 2024, ransomware attack attributed to the ALPHV or BlackCat ransomware group. According to the incident notification, attackers accessed the organization’s network between January 4 and January 8, 2024, encrypted files using ransomware encryption, which locks data until payment is made, and exfiltrated sensitive information before deploying the malware. The stolen data included names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric information, financial account data, medical information, patient photographs, insurance details, and account numbers. More than 161,000 patients were affected. The practice reported that it paid the ransom demand in exchange for confirmation that the stolen data had been deleted, and breach notifications were mailed to affected individuals on October 4, 2024.

Going deeper

The breach resulted in seven lawsuits from affected patients, later consolidated in the Supreme Court of the State of New York, County of Nassau under Baum et al. v. Long Island Plastic Surgical Group. The complaints included claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violations of New York consumer protection laws related to deceptive practices. Plaintiffs argued that the organization failed to properly protect personal and medical data. The practice denied the allegations and liability, and agreed to settle the case to avoid the cost and uncertainty of prolonged litigation.

What was said

In the Settlement Agreement, the defendant states that it “denies each and all of the claims and contentions alleged against it” and “denies all charges of wrongdoing or liability.” The filing explains that the decision to settle was based on practicality, noting that continuing the case would be “protracted and expensive,” with uncertain outcomes for all parties. It also confirms that the organization “was the victim of a criminal cyberattack” involving unauthorized access to its systems and disruption of certain data. The agreement further states that the settlement “shall not be deemed or construed as an admission of liability,” and is intended to resolve the dispute without further litigation.

In the know

A joint advisory from CISA describes BlackCat, also known as ALPHV, as a ransomware-as-a-service group that targets infrastructure sectors, including healthcare. The group is known for using credential theft, exploiting remote access services, and deploying advanced ransomware capable of encrypting and exfiltrating data. BlackCat was also linked to the Change Healthcare breach, one of the most disruptive healthcare cyber incidents in recent years, where attackers used stolen credentials to gain access and deploy ransomware, leading to widespread operational outages across the US healthcare system.

The big picture

The $2.6 million settlement involving Long Island Plastic Surgical Group adds to a growing pattern of healthcare breaches tied to email security gaps. The incident, which affected 161,000 patients, points to what researchers describe as a “visibility gap,” where threats remain undetected for long periods, with breaches taking an average of 10 months (308 days) to identify and contain. While the settlement figure is notable, findings from the 2025 Mid-Year Email Breach Recap show the true cost of a healthcare breach has reached $11 million, often driven by basic technical failures. In many cases, organizations lacked proper email authentication controls, with 74% not enforcing DMARC, allowing phishing and credential theft attacks to succeed and act as the initial entry point for ransomware.

FAQs

Why are healthcare organizations frequent targets for ransomware groups?

Healthcare providers store large volumes of sensitive data, including personal identifiers, insurance records, and medical histories, which can be monetized or used for extortion when stolen.

What is ransomware encryption?

Ransomware encryption is malware that locks files or systems using cryptographic algorithms, preventing access until a ransom is paid or the system is restored from backups.

Why do lawsuits often follow healthcare data breaches?

Patients may claim harm from exposure of personal and medical information, leading to legal claims alleging negligence or failure to protect sensitive data.

What types of compensation are available in the settlement?

Class members may claim reimbursement of documented losses up to $5,000, request an alternative pro rata cash payment, or seek additional compensation if clinical photographs were exposed.

What are the next steps for affected patients?

Settlement class members must submit claims by May 18, 2026, while the deadline to object to or opt out of the settlement is May 4, 2026. A final approval hearing is scheduled for June 2, 2026.