Active breach tracker Shrewsbury, NJ Disclosed April 18, 2025

The Plastic Surgery Center Data Breach 2025: 64,813 Patients Across NJ, NY, PA. Billing-Vendor Hack. What To Do

The Plastic Surgery Center, P.A., a Shrewsbury, NJ plastic surgery group with 20+ locations across New Jersey, New York, and Pennsylvania, disclosed a breach at its contracted billing vendor. Unauthorized network access on November 4, 2024 was filed with HHS OCR on January 3, 2025 (64,813 affected) and patient notifications were mailed April 18, 2025. Exposed data: SSN, driver's license, passport, taxpayer ID, financial account / payment card, biometric data, and medical / health insurance information. IDX credit monitoring offered through July 18, 2025 enrollment. Class-action investigations active.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 4, 2024

Unauthorized access at contracted billing vendor's network; suspicious activity detected the same day

Nov 4, 2024

Intrusion detected by the billing vendor; third-party forensics engaged

Jan 3, 2025

HHS OCR breach submission (64,813 affected; Hacking/IT Incident; Network Server)

Apr 4, 2025

Review of impacted systems and individuals complete

Apr 18, 2025

Patient notification letters mailed; filings submitted to Vermont and Massachusetts Attorneys General

Apr 18, 2025

Disclosed publicly

Apr 21, 2025

Plaintiffs'-firm investigations open publicly

Jul 18, 2025

Deadline to enroll in complimentary IDX credit monitoring / identity restoration

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Driver's license number Passport number Social Security number Biometric data

03

Contact & insurance

Phishing + targeted scams

Full name Taxpayer identification number Financial account information Payment card information Medical / health information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (publicly investigating) Cole & Van Note (publicly investigating) ClassAction.org-affiliated counsel (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

The Plastic Surgery Center, P.A. (TPSC) is a multi-site plastic surgery group headquartered in Shrewsbury, New Jersey, operating 20+ locations across New Jersey, New York, and Pennsylvania under the patient-facing brand at looknatural.com. Service lines span reconstructive surgery (including post-mastectomy reconstruction), facial cosmetic surgery, body contouring, and an aesthetic / MedSpa program.

The breach did not occur on TPSC’s own infrastructure. An unknown external actor gained unauthorized access to TPSC’s contracted billing company’s network, where files containing patient information were accessed and in some cases exfiltrated.

The billing vendor detected suspicious network activity on November 4, 2024 and engaged third-party forensics. TPSC filed with HHS OCR on January 3, 2025, characterizing the event as a Hacking/IT Incident at a Network Server and reporting 64,813 affected individuals. The data review for impacted individuals completed on April 4, 2025. TPSC mailed individual notification letters on April 18, 2025 and submitted filings to the Vermont and Massachusetts Attorneys General the same week. The threat actor has not been publicly attributed, and no known ransomware-leak-site listing for TPSC has surfaced as of this writing.

The HHS OCR submission on January 3, 2025 preceded patient notification by roughly fifteen weeks. That ordering is unusual and most likely reflects a precautionary / interim filing.

Timeline

  • November 4, 2024 — Unauthorized access at the contracted billing vendor’s network; suspicious activity detected the same day; forensics engaged.
  • January 3, 2025 — HHS OCR breach submission (64,813 affected; Hacking/IT Incident; Network Server).
  • April 4, 2025 — Review of impacted systems and individuals complete.
  • April 18, 2025 — Patient notification letters mailed; filings to Vermont AG and Massachusetts AG.
  • April 21, 2025 — Plaintiffs’-firm investigations open publicly (Strauss Borrelli, followed by Cole & Van Note on April 24).
  • July 18, 2025 — Enrollment deadline for the complimentary IDX credit monitoring / identity restoration offer.

What was exposed

Per the entity’s own notice (as filed with the Vermont Attorney General), the exfiltrated dataset included some combination of the following per affected individual:

  • Full name and date of birth
  • Driver’s license number and/or passport number
  • Social Security number
  • Taxpayer identification number
  • Financial account information and payment card information
  • Biometric data
  • Medical / health information and health insurance information

This is an unusually full identity stack: government ID, payment data, biometric identifiers, and clinical information were all in scope for at least some affected individuals. By data-element count, this exposure is among the most comprehensive of any 2025 healthcare vendor-breach filing at this scale.

A sensitive patient population: plastic surgery records and the photograph question

The cohort here is, by definition, a cosmetic and reconstructive surgery patient population. Plastic surgery records are different from a typical primary-care chart. The clinical file at this kind of practice routinely contains:

  • Pre-operative and post-operative clinical photographs including face, breast, abdomen, and other intimate body regions. These are the standard of care for surgical planning and follow-up.
  • Specific anatomic measurements and markings for breast reconstruction, abdominoplasty, rhinoplasty, and similar procedures.
  • Diagnosis and procedure detail for post-mastectomy reconstruction, gender-affirming surgery, post-trauma reconstruction, and other procedures that carry meaningful stigma, discrimination, or extortion risk.
  • Biometric data, which TPSC’s notice explicitly lists. In a surgical-records context this can include facial scans, 3D imaging, or other physiological identifiers.

TPSC’s notice does not enumerate clinical photographs in the list of impacted data elements. We are not asserting photographs were in the exfiltrated set. We are flagging, with full transparency, two facts:

  1. The notice does explicitly list “biometric data” — a category whose meaning at a plastic surgery practice is not benign.
  2. The Long Island Plastic Surgical Group breach (a separate 2024 incident) confirmed that clinical photographs were exfiltrated and settled for $2.6M, including a special tier of up to $1,000 per claimant whose photographs were compromised (Bloomberg Law; ClassAction.org settlement summary).

If your individual letter from TPSC enumerates photographic imagery or specific biometric identifiers, treat that as a different class of harm from financial fraud. Document the letter carefully — it materially changes a potential class-action recovery.

What TPSC is offering

  • Complimentary IDX credit monitoring and identity restoration, offered at 12 or 24 months depending on the data elements involved in each individual’s record.
  • Enrollment deadline: July 18, 2025. Missing this deadline forfeits the monitoring offer.
  • Statements that TPSC and its vendor have secured systems and engaged outside cybersecurity professionals.
  • The notice states “no evidence of actual or attempted misuse” of the compromised information as of the date of mailing. This is a standard formulation and does not reduce the protective steps a recipient should take.

Class-action posture

Multiple plaintiffs’ firms publicly announced investigations within days of the April 18, 2025 notice:

  • Strauss Borrelli PLLC (April 21, 2025)
  • Cole & Van Note (April 24, 2025)
  • Counsel affiliated with ClassAction.org

We have not located a docketed class-action complaint against The Plastic Surgery Center, P.A. in the District of New Jersey as of this writing. (A separate D.N.J. case, The Plastic Surgery Center, P.A. v. UnitedHealthcare Insurance Co. et al, 3:24-cv-10856, is a payer-reimbursement dispute and is not related to this data breach.) Given the volume (64,813), the data elements (SSN + government ID + biometric + medical), the multi-state footprint (NJ, NY, PA), and the typical post-notice filing cadence in 2025 healthcare breach litigation, one or more putative class actions in D.N.J. or a state forum is reasonably foreseeable. The HHS OCR investigation remains open.

What to do if you were a TPSC patient

  1. Read your specific notification letter carefully. The letter enumerates the data elements involved in your case, including whether photographs or specific biometric identifiers are among them. Keep the letter as your evidentiary record.
  2. Enroll in the complimentary IDX monitoring before the July 18, 2025 deadline. It is free; not enrolling forfeits the offer.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. SSN, driver’s license, and passport are all in the exposed set, so full freezes (not just fraud alerts) are appropriate.
  4. File IRS Form 14039 (Identity Theft Affidavit) if you see any indication of tax-fraud activity. Taxpayer IDs were in scope.
  5. Replace driver’s license and passport if your individual letter confirms exposure of those numbers. Both can be re-issued.
  6. Reissue any payment cards that were on file with TPSC or its billing vendor in the affected window.
  7. Review health-insurance Explanation of Benefits (EOBs) closely for the next 12-24 months. Health insurance and medical information were in scope, which creates medical-identity-theft risk that credit monitoring does not catch.
  8. Be alert to highly targeted phishing and sextortion. Threat actors holding cosmetic-surgery records can craft uniquely convincing outreach. Treat any inbound “TPSC follow-up,” “insurance reconciliation,” or “image-removal” message as hostile until verified through a phone number you obtained independently.
  9. Stop the ongoing flow of your surgical record. HealthConsent files HIPAA restriction and accounting-of-disclosures requests so the diagnosis, procedure, and biometric data exposed in this breach is not continuously re-shared by downstream entities (billing networks, insurers, marketing partners).

Sources on this page

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.