This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records. To subscribe to Court Watch, click here.
A Beverly Hills plastic surgeon’s patients filed a class action lawsuit against him earlier this month after they say he didn’t tell them that his patient information database had been hacked twice, and that their personal information and nude photos of themselves undergoing surgery had been posted online.
The lawsuit alleges that the surgeon, Dr. Jaime Schwartz, did not secure his patients’ information with industry-standard safety protocols, and that he lied about the scope of the first hack when patients asked him about it. Schwartz may also be familiar to some reality TV viewers, having appeared on shows such as “Botched,” according to his website.
“Despite charging clients thousands of dollars and having access to their deeply private medical information, Dr. Schwartz disregarded basic security measures necessary to protect that information from malicious cyberattacks,” the lawsuit states. “As a result of his negligence, he allowed his network to be compromised twice in less than a year [emphasis in original].”
In both cases, Dr. Schwartz did not notify his patients of a hack until some of them found their information—including nude photos of themselves with their faces visible—online, according to the lawsuit.
The lawsuit alleges that Dr. Schwartz was first notified of a hack of his patient database in October of 2023, when the hacking group Hunter International posted that it had access to his data.
“The hackers had exfiltrated 1.1 terabytes of data from Dr. Schwartz, consisting of 248,245 files,” the lawsuit states. “The dark web posting included four patient photos, including one nude photo with the patient’s face visible.”
Schwartz refused to pay the ransom, according to the lawsuit. One month later, the hackers updated the post with a note to him.
“Seems like you don’t want to protect your data at all,” the lawsuit quotes the note as reading. “More than 30 days had passed already since your network has been breached. You have been provided with everything you have asked about…But you keep begging for proofs [sic]. This is not the way we going to make business with you. Maybe you will do us a favor and transfer half of the money to prove that you can pay for your data?”
The lawsuit does not specify how much money the hackers had asked for as part of the extortion. About two weeks after the note was posted, the lawsuit states, the hackers put up another update including nude photos of patients. “If you find your private data here just email us and we will let you know how to proceed further with actions against this DOCTOR!” the last update read, according to the lawsuit.
The lawsuit alleges that Schwartz did not notify his patients of the hack until some of them found information about it online. One plaintiff reached out to him to ask whether her data was compromised as part of the breach.
“Thereafter, a person claiming to be in charge of cybersecurity for Dr. Schwartz called [the plaintiff],” the lawsuit states. “[She] is informed and believes that the person was Dr. Schwartz’s brother.”
According to the lawsuit, the head of cybersecurity told the plaintiff that the breach had only affected six people, that her data was not included, and that Schwartz was “working with the FBI and had completely overhauled the computer system to prevent future cyberattacks.”
The medical world is not new to this kind of extortion. Both major hospitals and private clinics have suffered data breaches in recent years, and over 500 breaches of varying degree were reported to the U.S. Department of Health and Human Services in 2024. The American Medical Association found in 2019 that 83 percent of doctors in the U.S. had experienced some kind of cyber attack.
Plastic surgeons, however, have recently become a popular target because of the kind of data they retain. A patient’s file includes not only their medical and financial information, but also photographs taken as part of the treatment process. Depending on the surgery, many of those photographs are taken nude. Even as far back as 2017, hackers targeted a plastic surgeon whose clients allegedly included royal families and stole a wealth of highly personal photos.
“Seems like you don’t want to protect your data at all.”
“This information is particularly valuable for purposes of sale on the dark web to facilitate identity theft and for purposes of ransom/extortion against physicians and patients,” the lawsuit states.
In October of 2023, the FBI released a public service announcement that hackers were targeting plastic surgeons. The announcement said that hackers would phish plastic surgeons’ offices to get access to their patient information databases, then use “open-source information” like patients’ social media profiles as leverage.
“Once successful, cybercriminals use social engineering techniques to enhance the harvested data and extort individuals for cryptocurrency,” the announcement stated.
Yet the lawsuit alleges that Schwartz did not take any extra precautions after his October hack. And, in March of 2024, it claims, he was hacked a second time. In this breach, the lawsuit alleges, “The entirety of Dr. Schwartz’s patient data was compromised.”
“[Schwartz] failed to notify his patients as required by federal and state law,” the lawsuit states. “He waited to do so until after the hackers posted a public website announcing the hack and leaking patients’ names, contact information, and nude photographs, and began contacting his patients directly. Despite knowing that his patients’ most private medical data was in the hands of malicious actors, Dr. Schwartz waited almost 10 months to notify them [emphasis in original].”
“Maybe you will do us a favor and transfer half of the money to prove that you can pay for your data?”
Schwartz sent his patients a generic message about the second hack in January of 2025. He wrote that, “An unauthorized third party utilized a third-party vendor’s credentials to access the practice’s medical billing and practice management system…It was determined that some of your personal information was present in the impacted data set. We then took steps to notify you of the incident as quickly as possible.”
Despite the head of cybersecurity’s promise of a full system overhaul, the lawsuit alleges that Schwartz’s team did not sufficiently secure its network-connected devices, did not train its staff to avoid phishing emails, and did not properly vet or secure its third-party vendors with access to sensitive patient data. It also claims Schwartz did not adequately monitor its network activity or implement “appropriate network ‘traffic’ controls to prevent the exfiltration of large amounts of data.” The lawsuit additionally claims Schwartz did not have appropriate anti-malware software or firewalls in its system.
The lawsuit also alleges that, when it was filed, Schwartz had not yet contacted the California attorney general or the U.S. Department of Health and Human Service about either hack.
“To date, the hackers have posted approximately 30 patient files,” the lawsuit states. “They have warned that they will continue releasing patient files, in alphabetical order, until Dr. Schwartz contacts them to address the matter.”
The plaintiffs are demanding damages of up to $3,000 per violation per person, amounting to more than $5 million, as well as a potential jury trial.
Schwartz’s office did not respond to a request for comment.
