The Plastic Surgery Center Data Breach 2025: 64,813 Patients Across NJ, NY, PA. Billing-Vendor Hack. What To Do
The Plastic Surgery Center, P.A., a Shrewsbury, NJ plastic surgery group with 20+ locations across New Jersey, New York, and Pennsylvania, disclosed a breach at its contracted billing vendor. Unauthorized network access on November 4, 2024 was filed with HHS OCR on January 3, 2025 (64,813 affected) and patient notifications were mailed April 18, 2025. Exposed data: SSN, driver's license, passport, taxpayer ID, financial account / payment card, biometric data, and medical / health insurance information. IDX credit monitoring offered through July 18, 2025 enrollment. Class-action investigations active.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 4, 2024
Unauthorized access at contracted billing vendor's network; suspicious activity detected the same day
Nov 4, 2024
Intrusion detected by the billing vendor; third-party forensics engaged
Jan 3, 2025
HHS OCR breach submission (64,813 affected; Hacking/IT Incident; Network Server)
Apr 4, 2025
Review of impacted systems and individuals complete
Apr 18, 2025
Patient notification letters mailed; filings submitted to Vermont and Massachusetts Attorneys General
Apr 18, 2025
Disclosed publicly
Apr 21, 2025
Plaintiffs'-firm investigations open publicly
Jul 18, 2025
Deadline to enroll in complimentary IDX credit monitoring / identity restoration
Nov 4, 2024
Unauthorized access at contracted billing vendor's network; suspicious activity detected the same day
Nov 4, 2024
Intrusion detected by the billing vendor; third-party forensics engaged
Jan 3, 2025
HHS OCR breach submission (64,813 affected; Hacking/IT Incident; Network Server)
Apr 4, 2025
Review of impacted systems and individuals complete
Apr 18, 2025
Patient notification letters mailed; filings submitted to Vermont and Massachusetts Attorneys General
Apr 18, 2025
Disclosed publicly
Apr 21, 2025
Plaintiffs'-firm investigations open publicly
Jul 18, 2025
Deadline to enroll in complimentary IDX credit monitoring / identity restoration
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
The Plastic Surgery Center, P.A. (TPSC) is a multi-site plastic surgery group headquartered in Shrewsbury, New Jersey, operating 20+ locations across New Jersey, New York, and Pennsylvania under the patient-facing brand at looknatural.com. Service lines span reconstructive surgery (including post-mastectomy reconstruction), facial cosmetic surgery, body contouring, and an aesthetic / MedSpa program.
The breach did not occur on TPSC’s own infrastructure. An unknown external actor gained unauthorized access to TPSC’s contracted billing company’s network, where files containing patient information were accessed and in some cases exfiltrated.
The billing vendor detected suspicious network activity on November 4, 2024 and engaged third-party forensics. TPSC filed with HHS OCR on January 3, 2025, characterizing the event as a Hacking/IT Incident at a Network Server and reporting 64,813 affected individuals. The data review for impacted individuals completed on April 4, 2025. TPSC mailed individual notification letters on April 18, 2025 and submitted filings to the Vermont and Massachusetts Attorneys General the same week. The threat actor has not been publicly attributed, and no known ransomware-leak-site listing for TPSC has surfaced as of this writing.
The HHS OCR submission on January 3, 2025 preceded patient notification by roughly fifteen weeks. That ordering is unusual and most likely reflects a precautionary / interim filing.
Timeline
- November 4, 2024 — Unauthorized access at the contracted billing vendor’s network; suspicious activity detected the same day; forensics engaged.
- January 3, 2025 — HHS OCR breach submission (64,813 affected; Hacking/IT Incident; Network Server).
- April 4, 2025 — Review of impacted systems and individuals complete.
- April 18, 2025 — Patient notification letters mailed; filings to Vermont AG and Massachusetts AG.
- April 21, 2025 — Plaintiffs’-firm investigations open publicly (Strauss Borrelli, followed by Cole & Van Note on April 24).
- July 18, 2025 — Enrollment deadline for the complimentary IDX credit monitoring / identity restoration offer.
What was exposed
Per the entity’s own notice (as filed with the Vermont Attorney General), the exfiltrated dataset included some combination of the following per affected individual:
- Full name and date of birth
- Driver’s license number and/or passport number
- Social Security number
- Taxpayer identification number
- Financial account information and payment card information
- Biometric data
- Medical / health information and health insurance information
This is an unusually full identity stack: government ID, payment data, biometric identifiers, and clinical information were all in scope for at least some affected individuals. By data-element count, this exposure is among the most comprehensive of any 2025 healthcare vendor-breach filing at this scale.
A sensitive patient population: plastic surgery records and the photograph question
The cohort here is, by definition, a cosmetic and reconstructive surgery patient population. Plastic surgery records are different from a typical primary-care chart. The clinical file at this kind of practice routinely contains:
- Pre-operative and post-operative clinical photographs including face, breast, abdomen, and other intimate body regions. These are the standard of care for surgical planning and follow-up.
- Specific anatomic measurements and markings for breast reconstruction, abdominoplasty, rhinoplasty, and similar procedures.
- Diagnosis and procedure detail for post-mastectomy reconstruction, gender-affirming surgery, post-trauma reconstruction, and other procedures that carry meaningful stigma, discrimination, or extortion risk.
- Biometric data, which TPSC’s notice explicitly lists. In a surgical-records context this can include facial scans, 3D imaging, or other physiological identifiers.
TPSC’s notice does not enumerate clinical photographs in the list of impacted data elements. We are not asserting photographs were in the exfiltrated set. We are flagging, with full transparency, two facts:
- The notice does explicitly list “biometric data” — a category whose meaning at a plastic surgery practice is not benign.
- The Long Island Plastic Surgical Group breach (a separate 2024 incident) confirmed that clinical photographs were exfiltrated and settled for $2.6M, including a special tier of up to $1,000 per claimant whose photographs were compromised (Bloomberg Law; ClassAction.org settlement summary).
If your individual letter from TPSC enumerates photographic imagery or specific biometric identifiers, treat that as a different class of harm from financial fraud. Document the letter carefully — it materially changes a potential class-action recovery.
What TPSC is offering
- Complimentary IDX credit monitoring and identity restoration, offered at 12 or 24 months depending on the data elements involved in each individual’s record.
- Enrollment deadline: July 18, 2025. Missing this deadline forfeits the monitoring offer.
- Statements that TPSC and its vendor have secured systems and engaged outside cybersecurity professionals.
- The notice states “no evidence of actual or attempted misuse” of the compromised information as of the date of mailing. This is a standard formulation and does not reduce the protective steps a recipient should take.
Class-action posture
Multiple plaintiffs’ firms publicly announced investigations within days of the April 18, 2025 notice:
- Strauss Borrelli PLLC (April 21, 2025)
- Cole & Van Note (April 24, 2025)
- Counsel affiliated with ClassAction.org
We have not located a docketed class-action complaint against The Plastic Surgery Center, P.A. in the District of New Jersey as of this writing. (A separate D.N.J. case, The Plastic Surgery Center, P.A. v. UnitedHealthcare Insurance Co. et al, 3:24-cv-10856, is a payer-reimbursement dispute and is not related to this data breach.) Given the volume (64,813), the data elements (SSN + government ID + biometric + medical), the multi-state footprint (NJ, NY, PA), and the typical post-notice filing cadence in 2025 healthcare breach litigation, one or more putative class actions in D.N.J. or a state forum is reasonably foreseeable. The HHS OCR investigation remains open.
What to do if you were a TPSC patient
- Read your specific notification letter carefully. The letter enumerates the data elements involved in your case, including whether photographs or specific biometric identifiers are among them. Keep the letter as your evidentiary record.
- Enroll in the complimentary IDX monitoring before the July 18, 2025 deadline. It is free; not enrolling forfeits the offer.
- Place free credit freezes at Equifax, Experian, and TransUnion. SSN, driver’s license, and passport are all in the exposed set, so full freezes (not just fraud alerts) are appropriate.
- File IRS Form 14039 (Identity Theft Affidavit) if you see any indication of tax-fraud activity. Taxpayer IDs were in scope.
- Replace driver’s license and passport if your individual letter confirms exposure of those numbers. Both can be re-issued.
- Reissue any payment cards that were on file with TPSC or its billing vendor in the affected window.
- Review health-insurance Explanation of Benefits (EOBs) closely for the next 12-24 months. Health insurance and medical information were in scope, which creates medical-identity-theft risk that credit monitoring does not catch.
- Be alert to highly targeted phishing and sextortion. Threat actors holding cosmetic-surgery records can craft uniquely convincing outreach. Treat any inbound “TPSC follow-up,” “insurance reconciliation,” or “image-removal” message as hostile until verified through a phone number you obtained independently.
- Stop the ongoing flow of your surgical record. HealthConsent files HIPAA restriction and accounting-of-disclosures requests so the diagnosis, procedure, and biometric data exposed in this breach is not continuously re-shared by downstream entities (billing networks, insurers, marketing partners).
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record (64,813; Hacking/IT Incident; Network Server; filed January 3, 2025).
- Vermont Attorney General: 2025-04-18 The Plastic Surgery Center Data Breach Notice to Consumers — entity’s own consumer notice as filed with a state regulator.
- ClassAction.org: The Plastic Surgery Center Data Breach Lawsuit Investigation — incident summary and timeline.
- Strauss Borrelli PLLC: The Plastic Surgery Center Data Breach Investigation (April 21, 2025) — plaintiffs’-firm investigation.
- Cole & Van Note: The Plastic Surgery Center Data Breach Investigation (April 24, 2025) — plaintiffs’-firm investigation.
- ClaimDepot: The Plastic Surgery Center Data Breach Exposes PHI & PII — secondary aggregator with the data-element list and IDX enrollment details.
- Becker’s ASC: 3-State Cosmetic Surgery Center Faces Patient Data Breach — trade-press coverage.
- Bloomberg Law: Plastic Surgery Patient Sues Practice Over Hacked Data, Photos — precedent context (different entity: Long Island Plastic Surgical Group).
- The Plastic Surgery Center (official site) — entity website.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Vermont Attorney General: The Plastic Surgery Center Data Breach Notice to Consumers (2025-04-18)
- ClassAction.org: The Plastic Surgery Center Data Breach Lawsuit Investigation
- Strauss Borrelli PLLC: The Plastic Surgery Center Data Breach Investigation
- ClaimDepot: The Plastic Surgery Center Data Breach Exposes PHI & PII
- Becker's ASC: 3-State Cosmetic Surgery Center Faces Patient Data Breach
- Cole & Van Note: The Plastic Surgery Center Data Breach Investigation
- The Plastic Surgery Center (official site)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.