One patient of a well-known Beverly Hills plastic surgeon whose topless photos and personal information is posted on the internet is in search of information about what happened and what is being done about it.
It’s been almost 15 years since a patient we're calling Jane to protect her identity saw Dr. Gary Motykie for breast surgery. Late last month, she found out from another patient her topless photos and personal information had been posted to a public website.
"I'm just horrified, just completely physically ill, because I had not prior knowledge," Jane said.
As of this week, there are now 14 rows of women, around 80 patients, with their names, dates of birth, email addresses, phone numbers and financial information, plus medical records, posted on the web.
Get Southern California news, weather forecasts and entertainment stories to your inbox. Sign up for NBC LA newsletters.
“Apparently, I’m just like some row, like another row of women that’s released," Jane said. "There are literally all these women, all these rows.”
I'm just horrified, just completely physically ill, because I had not prior knowledge (of the hack).
"Jane," former patient of Dr. Gary Motykie
Also on the site are what appear to be images of Dr. Motykie, described in a lawsuit filed about this breach as “extremely disturbing pornographic, home-made videos.”
Two days after the first report by the I-Team, Dr Motykie’s legal team filed updated information with the Attorney General’s Office in Maine, listing the breach as affecting 3,461 patients.
“It’s very unusual, and it’s actually not like any extortion attempt I’ve ever seen before,“ said threat analyst Brett Callow of cybersecurity firm Emsisoft.
Callow is very familiar with seeing data breaches on the dark web.
It’s very unusual, and it’s actually not like any extortion attempt I’ve ever seen before.
Brett Callow, Threat Analyst
“Those websites are usually sloppily created. There’s not much effort that goes into them,” said Callow. “But this one is different. It does appear as some care went into it, and it seems specifically intended to outrage.”
And outrage is what Jane says she is feeling. She said she reached out to Motykie’s office and the LA County Sheriff’s Department weeks ago, but she says she didn’t hear back from anyone.
“Nobody, and that’s why I contacted you,” Jane said.
“In my personal opinion, patients and people in general should find out there information has been compromised from the organizations which lost their data," Callow said. "It should never ever be through the hackers."
Motykie filed a report about the extortion with the LA County Sheriff’s Department on May 11, saying he first communicated with the hackers in April. According to that report, he told detectives they demanded $2.5 million in crypto currency “to prevent his personal photographs/videos and photographs of his patients from being made public.”
In early June, the first 36 patients were exposed online. Among them was Elina Shaffy, who filed a lawsuit about the breach claiming “intentional infliction of emotional distress.” But she says she did not receive notification about the breach from Motykie’s office until June 30, after the I-Team reached out to the doctor for comment that same day.
On July 6, the American Board of Plastic surgery sent a message to its members, the third one since May, warning of “fraudulent ransomware aimed at plastic surgeons." The alert explains that emails appearing to come from the board office have an attachment or link that when clicked on, “launches the ransomware and combs for patient data and photos.” The FBI is investigating.
On July 19, nine days after the first report by the I-team, Motykie reported the breach to the California attorney general as required by law, outlining the data at risk. As previously reported, that data includes detailed personal information, ranging from social security and driver's license numbers to financial information, medical records and images.
As of July 27, Motykie’s website does not directly reference the data breach, but does have a warning posted: “Beware of impersonators!”
NBC4 reached out to Motykie for an on-camera interview, he declined. However, his social media and public relations manager told the I-Team by phone that their No. 1 interest is in protecting the victims.
“We try our best to reach out to the patients directly and we’ve spoken to a multitude of patients,” said Ethan Reynolds. “But this is a high-volume practice so there’s no way we could personally connect with every patient that’s ever been part of the practice.”
Reynolds also noted contact information for patients could have changed. He said the FBI was at the office last week, but that’s little comfort to Jane.
“I am a sitting duck,” she said.
Just this week the hackers posted a new note on the site, announcing a change in strategy, writing in part: “...before publishing a new client’s data, we give them a choice. If the client is willing to pay $2,500, we guarantee that their data will be deleted on our end and will not go public.”
But cyber experts warn against that.
“It makes little sense for patients to pay in this case. There is no guarantee the data will be removed, and the hacker is a criminal. They’re not a trustworthy person,” Callow said.
Jane is troubled her information from so many years ago was even accessible to the hackers.
“It shouldn’t even exist in his system at this point!” she said. “I should have been so buried and encrypted in archives that I would never, never be in this at all.”
Last week she also filed a report online with the FBI. For her, the breach has been emotionally devastating and traumatizing.
"My biggest question is, who’s talking to the women, who’s talking to he faces that’s in those rows?” asked Jane. “Because no one’s talking to me.”
Expert tips to protect yourself from a hack
- Never click on a link or attachment that feels the least bit strange.
- Better yet, visit links by typing in an address rather than clicking on one provided in an email or text message.
- Use two factor authentication whenever possible. The first factor is a password. The second commonly includes a text or email with a code sent to you, or uses biometrics, like your fingerprint or face ID
- Keep your computer and cell phone up to date with the latest operating system he and security patches
- if you are hacked, report it to the FBI by filing an IC3 report.
Contact number regarding Dr. Motykie data breach
- 310-246-2355
- 9am-5pm, Pacific Time
- Monday-Friday
Previous statement provided by Dr. Gary Motykie on July 3, 2023
Any alleged data security incidents are investigated, and appropriate steps are taken. We do not provide any public information about any alleged incidents until we have what we believe to be accurate and complete information, and we cannot speak to any pending litigation and ongoing law enforcement involvement.
We can confirm, however, that the third-party responsible for this situation has made demands for money in exchange for information to be deleted. We and law enforcement cannot guarantee that any payment will result in information being deleted or used in any way in the future. We have no control over what the third party is doing or other persons who are attempting to spread misinformation concerning this matter or taking steps to put the investigation and individuals in difficult situations. However, we are working with the investigation team and are taking recommended steps. We continue to be in communication with individuals who may be impacted.
We are committed to addressing this situation and we continue to work very closely with law enforcement, as law enforcement is also investigating other incidents similar to this matter.
