Skip to main content
health care professional health care professional

Austin Plastic and Reconstructive Surgery Data Breach Investigation

Written by Joseph Lyon on . Posted in Data Breach.

A Texas plastic surgery practice is facing serious questions about patient data security after disclosing that unauthorized actors accessed its network and potentially took sensitive personal and medical information. Austin Plastic and Reconstructive Surgery, based in Austin, Texas, notified affected patients in March 2026 about a ransomware incident that took place nearly nine months earlier. The delayed disclosure and the nature of the data involved have raised significant concerns among patients and data privacy advocates alike. Contact our data breach lawyers to investigate your claim. 

What Happened?

According to the practice’s own notification to patients, unauthorized access to its computer network occurred between June 30 and July 1, 2025. The breach was attributed to a ransomware attack, and cybersecurity reports have linked the incident to a threat actor known as “3AM.” While the network intrusion took place in the summer of 2025, the practice did not confirm the scope of the compromised data until February 28, 2026, and did not begin notifying affected individuals until March 11, 2026.

That gap between the breach occurring and patients being told about it is significant. Under the Health Insurance Portability and Accountability Act, or HIPAA, covered entities are generally required to notify affected individuals within 60 days of discovering a breach. Patients who were exposed during this window had no way to take protective steps for months.

What Data Was Compromised?

The review of affected files confirmed that the following categories of information may have been accessed or acquired by unauthorized parties:

  • Full names and home addresses
  • Dates of birth
  • Social Security numbers
  • Driver’s license numbers and state identification numbers
  • Passport numbers
  • Financial account information
  • Medical records and treatment information
  • Health insurance information

This is a particularly sensitive combination of data. Medical information from a plastic surgery practice can carry personal and reputational significance beyond what is typically found in a standard healthcare breach. When combined with Social Security numbers and financial account details, the risk of identity theft, financial fraud, and targeted phishing attempts becomes substantial and long-lasting.

Why Plastic Surgery Practices Are Targeted

Healthcare providers have become attractive targets for ransomware groups in recent years, and plastic surgery practices face a distinct set of risks. The FBI has previously issued warnings specifically about cybercriminals targeting plastic surgery offices because of the sensitive nature of the records they maintain, including clinical photographs and detailed personal histories. This combination gives threat actors additional leverage beyond standard ransomware extortion.

Ransomware attacks on healthcare organizations have increased dramatically over the past several years. According to federal data tracked by the HHS Office for Civil Rights, ransomware-related breaches reported to regulators rose by more than 260 percent between 2018 and recent reporting years. Austin Plastic and Reconstructive Surgery is just one case in a growing pattern of attacks on smaller specialty medical practices that may have fewer cybersecurity resources than large hospital systems.

What Are Your Legal Rights?

Patients whose data was exposed in a breach of this nature may have viable legal claims based on negligence, breach of implied contract, and violations of applicable data protection laws. HIPAA itself does not provide a private right of action, meaning individual patients cannot sue directly under HIPAA. However, HIPAA violations can serve as evidence of negligence in civil claims brought under state law. Class action litigation is a common avenue for affected patients to seek collective compensation without bearing the full cost of individual lawsuits.

Why Contact The Lyon Firm?

The Lyon Firm represents clients nationwide in data breach class action cases, including those involving healthcare providers and medical practices. With nearly two decades of experience in complex litigation against large institutions, The Lyon Firm has the knowledge and resources to evaluate your claim and pursue accountability on your behalf.

If you or a loved one received a notice from Austin Plastic and Reconstructive Surgery, you may be entitled to compensation. Contact The Lyon Firm today for a free, confidential consultation. There is no cost to speak with an attorney, and no fee unless your case is successful.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.