On January 4, 2024, an unauthorized actor slipped into the network of Long Island Plastic Surgical Group and spent the next four days stealing some of the most sensitive patient data a healthcare provider can hold. Clinical photographs. Social Security numbers. Financial account details. By the time the intrusion was discovered, the BlackCat ransomware group had what it needed to demand payment — and LIPSG paid. What followed was a nine-month notification delay, seven separate lawsuits, and ultimately a $2.6 million settlement that is still working its way through the courts.
Long Island Plastic Surgical Group, P.C. (LIPSG) is a Garden City, New York-based private plastic surgery practice with an academic affiliation. It treats tens of thousands of current and former patients across the tri-state area. In the first days of January 2024, it became one of many healthcare organizations targeted by BlackCat — a ransomware group that, at that moment, had just been warned by the U.S. government to stop targeting hospitals and had responded by announcing it would target more of them.
The Attack: Four Days Inside the Network
According to court filings and breach notices reviewed in this report, the intrusion at LIPSG began on or about January 4, 2024. The HIPAA Journal reported that the forensic investigation confirmed attackers accessed the network between January 4 and January 8, 2024 — a four-day dwell period during which data was exfiltrated before encryption was deployed.
The sequence is consistent with BlackCat's standard double-extortion methodology: steal the data first, then lock the systems. That order of operations is deliberate. It gives the attacker two forms of leverage: the encrypted files that disrupt operations, and the stolen data that can be published or sold if the ransom is not paid. Victims who restore from backups and decline to pay still face the second threat.
The file review was completed on September 15, 2024 — more than eight months after the initial intrusion. LIPSG said it was unaware of any confirmed misuse of the stolen data at that time, but the scope of what was taken made that caveat cold comfort for patients.
Who Is BlackCat / ALPHV?
BlackCat, also known as ALPHV or Noberus, first emerged in November 2021. It operates as a ransomware-as-a-service (RaaS) collective: a core developer group builds and maintains the malware, while affiliates — essentially hired contractors — conduct the actual intrusions and keep between 60 and 90 percent of any ransom paid. Wikipedia's entry on the group notes it was the first ransomware operation to run a public data leak site on the open internet, a tactic that raises the public pressure on victims considerably.
The group is widely believed to be a rebrand of DarkSide, the gang responsible for the 2021 Colonial Pipeline attack, with many of its affiliates and developers carrying over from that operation and its successor, BlackMatter. The FBI has assessed that many of the developers and money launderers connected to BlackCat have direct links to DarkSide and BlackMatter.
In December 2023, a coordinated law enforcement operation led by the FBI temporarily seized BlackCat's infrastructure and released decryption keys estimated to save victims roughly $68 million in ransom payments. BlackCat's response was to publicly instruct its affiliates to begin targeting hospitals with no restrictions. The LIPSG attack occurred just two weeks into that retaliatory campaign. According to a joint advisory from CISA, the FBI, and the Department of Health and Human Services, healthcare became the group's most commonly targeted sector from mid-December 2023 onward.
By September 2023, the FBI had reported that BlackCat had compromised more than 1,000 victims globally and collected nearly $300 million in ransom. The group's most consequential attack came in February 2024 — one month after the LIPSG breach — when it struck Change Healthcare, a UnitedHealth Group subsidiary that processes roughly one in three U.S. patient records. That attack ultimately affected more than 100 million individuals and prompted a reported $22 million ransom payment, after which BlackCat shut down in what security researchers described as an exit scam, withholding affiliate payments before going dark. As of early 2025, the group has not reappeared under its existing branding.
What Was Stolen — and Why It Matters
The categories of data confirmed stolen from LIPSG are exceptional even by the standards of healthcare breaches. The HIPAA Journal's coverage of the initial breach disclosure confirmed that attackers obtained: full names, dates of birth, Social Security numbers, driver's license and state identification numbers, passport numbers, financial account information, credit and debit card details, medical information, biometric data, health insurance policy information, and clinical photographs of patients.
That last category — clinical photographs — distinguishes this breach from a standard financial data exposure. Plastic surgery practices document procedures photographically before and after treatment. These are intimate images, taken in a clinical context with an expectation of strict confidentiality. Their theft creates a category of harm that financial fraud monitoring cannot address. Patients cannot freeze a photograph the way they can freeze a credit report.
"Impacted information may have included patients' full names, Social Security numbers, dates of birth, addresses, telephone numbers, driver's license numbers, medical information and health insurance information, clinical photographs of patients, other protected health information, financial account information, and payment card information." — Official settlement notice, Baum et al. v. Long Island Plastic Surgical Group, P.C., Index No. 618453/2024
More than 161,000 current and former patients were affected. The breach notice filed with the Texas Attorney General on October 9, 2024 confirmed the scope. Affected individuals whose Social Security numbers were involved were offered complimentary credit monitoring services, though LIPSG stated at the time of notification that it was unaware of any confirmed improper use of the data.
The Ransom Payment and the Notification Gap
LIPSG made the decision to pay the ransom demanded by BlackCat. The practice received confirmation from the attackers that the stolen data had been deleted. This is a common assurance offered by ransomware groups and one that security professionals treat with consistent skepticism: there is no technical mechanism to verify deletion, and in at least one high-profile parallel case — the Change Healthcare attack — an affiliate publicly disclosed that data remained in their possession even after a ransom was paid and deletion was confirmed.
The notification timeline is one of the most significant aspects of this case from a regulatory standpoint. The intrusion occurred on January 4, 2024. The forensic file review was completed on September 15, 2024. Affected individuals were notified by mail on October 4, 2024 — nine months after the initial breach. HIPAA's Breach Notification Rule requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days following discovery of a breach. The gap between discovery and the completion of forensic analysis may account for much of the delay, but the timeline will likely draw scrutiny from HHS's Office for Civil Rights if a formal investigation follows the settlement.
HIPAA's Breach Notification Rule (45 C.F.R. §§ 164.400–414) requires notification to affected individuals within 60 days of discovery. The LIPSG notification was mailed on October 4, 2024 — nine months after the breach began. Whether the forensic review timeline satisfies the "discovery" clock under HIPAA is a question that regulators may still address independently of the civil settlement.
Seven Lawsuits, One Consolidation, One Settlement
Shortly after notifications went out in October 2024, seven separate putative class action lawsuits were filed by patients in New York state court. They were consolidated into a single action — Baum et al. v. Long Island Plastic Surgical Group, P.C., Index No. 618453/2024 — in the Supreme Court of the State of New York, County of Nassau.
The consolidated complaint asserted claims across six legal theories: negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of New York's Consumer Law for Deceptive Acts and Practices Act. The plaintiffs alleged that LIPSG failed to implement reasonable cybersecurity safeguards to protect the sensitive information entrusted to it, and that the breach caused concrete financial and non-financial harm to class members.
LIPSG denied all allegations and denied that any class member suffered injury as a direct result of the incident. The settlement, which received preliminary court approval on January 29, 2026, was reached to avoid the cost and uncertainty of continued litigation — a standard posture in data breach class actions, and one that neither confirms nor resolves the underlying security failures.
What the Settlement Actually Pays
The $2,600,000 settlement fund must cover several categories of cost before individual class members receive anything. Per the official settlement notice and the court-approved settlement website at LIPSGSettlement.com, the fund is allocated in this order: settlement administration and notification costs, attorney fees and expenses, service awards for class representatives, and then payments to class members.
Class members have two options. They may file a claim for reimbursement of documented, out-of-pocket losses directly traceable to the breach — up to a maximum of $5,000 per claimant. Eligible expenses include unreimbursed fraud losses, professional fees such as attorney or accountant costs incurred because of the breach, credit monitoring costs, and related expenses such as postage, notary fees, and costs associated with placing or lifting credit freezes. Alternatively, class members who do not have documented losses may submit a claim for a pro rata cash payment from whatever remains in the fund after all other disbursements. The final amount of that alternative payment will depend on total claim volume.
Key dates for class members: the deadline to object to or opt out of the settlement is May 4, 2026. Claims must be submitted by May 18, 2026. The final approval hearing is scheduled for June 2, 2026.
Class members who received a breach notification by mail are automatically included. Those who did not receive notice but believe their information was affected can contact the settlement administrator at LIPSGSettlement.com or by phone at 1-877-382-4677.
Key Takeaways for Healthcare Security
- Ransom payment does not equal data deletion. LIPSG paid and received confirmation of deletion. That confirmation is unverifiable. Healthcare organizations should treat any such assurance as legally and operationally meaningless, and plan their incident response accordingly.
- Clinical photographs are a distinct liability category. Plastic surgery, dermatology, and other specialties that maintain photographic records face a uniquely severe harm profile in a breach. Standard financial identity protection services do not address the exposure of intimate medical images. Risk assessments and data minimization strategies need to account for this.
- The notification gap creates compounding legal risk. A nine-month span between breach and patient notification — even when explained by the pace of forensic review — exposes covered entities to HIPAA enforcement action in addition to civil litigation. The civil settlement does not resolve regulatory exposure.
- Healthcare organizations were BlackCat's primary targets in early 2024. The LIPSG attack occurred at the height of a deliberate campaign by BlackCat affiliates against U.S. healthcare. Organizations in this sector that had not completed threat-specific security assessments by early 2024 were operating in a known high-risk environment without adequate preparation.
- $2.6 million divided among 161,000 claimants leaves very little for individuals. Even before legal and administrative costs are deducted, the per-patient fund ceiling is approximately $16. The documented-loss pathway offers a more meaningful recovery for those who can substantiate specific harm — but that requires documentation that many breach victims do not retain.
The LIPSG settlement follows a now-familiar arc: a sophisticated ransomware group exploits a healthcare network, exfiltrates deeply sensitive data, collects a ransom payment, and disappears while patients receive a letter nine months later. The civil settlement provides some financial remedy for a fraction of those affected. What it does not provide — and what no settlement can — is a recall of the data itself. For 161,000 patients, some of whose clinical photographs are now in the possession of an unknown threat actor, that is a permanent condition.
Sources: The HIPAA Journal • HIPAA Journal breach confirmation • Official LIPSG Settlement Website • ClassAction.org • CISA #StopRansomware: ALPHV BlackCat Advisory • CISA/FBI/HHS Updated Advisory (Feb. 2024) • Krebs on Security • Wikipedia: BlackCat (cyber gang)
Disclaimer: This article is provided for informational and educational purposes. It does not constitute legal advice. Individuals who believe they are class members in Baum et al. v. Long Island Plastic Surgical Group, P.C. should consult the official settlement website or a qualified attorney.