Hackers have stolen the data of a large cosmetic surgery chain and are threatening to publish patients’ before and after photos, among other details.
The Hospital Group, which has a long list of celebrity endorsements, has confirmed the ransomware attack.
It said it had informed the Information Commissioner of the breach.
On its darknet webpage, the hacker group known as REvil said the “intimate photos of customers” were “not a completely pleasant sight”.
It claimed to have obtained more than 900 gigabytes of patient photographs.
The Hospital Group, which is also known as the Transform Hospital Group, claims to be the UK’s leading specialist weight loss and cosmetic surgery group.
It has 11 clinics specialising in bariatric weight loss surgery, breast enlargements, nipple corrections and nose adjustments.
The company has previously promoted itself via celebrity endorsements, although it has not done so for several years.
Former Big Brother contestant Aisleyne Horgan-Wallace told Zoo magazine about her breast enhancement surgery with The Hospital Group in 2009.
Atomic Kitten singer Kerry Katona, Shameless actress Tina Malone and reality TV star Joey Essex from The Only Way is Essex are also previous patients who have endorsed the clinic.
The Hospital Group said in a statement: “We can confirm that our IT systems have been subject to a data security breach. None of our patients’ payment card details have been compromised but at this stage, we understand that some of our patients’ personal data may have been accessed.”
The company said it had emailed all its customers about the cyber-attack and would contact individuals who might have had more personal details compromised.
It’s understood that many before and after pictures will not include the patients’ faces.
One customer told the BBC he was worried about his pictures and data being in the hackers’ hands.
Simon Hails had chest reduction surgery with The Hospital Group.
He said the company had not told him about the ransom.
“I have had an email from The Hospital Group informing me of a ‘data security incident’ but no detail as to what has been hacked,” he told the BBC.
“I’m obviously concerned as the last thing I want is ‘before photos’ being splattered around in the public domain. I’ve tried to keep my surgery private and not even some of my friends and colleagues know about it, so the data breach is concerning for me.”
Ransomware is one of the most prolific forms of cyber-attack. It typically involves hackers gaining access to a computer network and either encrypting files or locking users out of their systems until a ransom is paid.
More recently, ransomware gangs have been taking a copy of the data and threatening to release it.
Law-enforcement agencies discourage victims from paying the ransom because doing so fuels the criminal enterprises.
Cyber-security company Emsisoft estimates that the burgeoning form of cyber-crime has earned criminals $25bn (£18bn) in 2020.
REvil, also known as Sodinokibi, is one of the most prolific ransomware groups. Its high-profile victims include currency exchange Travelex and entertainment law firm Grubman Shire Meiselas & Sacks.
In September, The Hospital Group said surgery requests had increased by 25% since 2019.
Its chief executive Tony Veverka told the ITV News Tonight programme at the time that Covid-19 health concerns had prompted the spike, as people tried to find ways to lose weight.