[HN Gopher] Hackers threaten to leak plastic surgery pictures ___________________________________________________________________ Hackers threaten to leak plastic surgery pictures Author : g_p Score : 124 points Date : 2020-12-24 17:00 UTC (6 hours ago) (HTM) web link (www.bbc.co.uk) (TXT) w3m dump (www.bbc.co.uk) | hprotagonist wrote: | Paging King Roland of Druidia... | imgabe wrote: | This sort of thing just shouldn't even be a viable threat. The | response should be "go ahead and publish it, who cares?" | | If you heard tomorrow that there were a bunch of plastic surgery | before and after photos online, would you even go look? What is | the threat here - that people will search the data for people | they know and...make fun of them? Really? | SirSavary wrote: | People who have gone through gender affirmation surgery may | want that to remain hidden knowledge | breck wrote: | > "None of our patients' payment card details have been | compromised but at this stage, we understand that some of our | patients' personal data may have been accessed." | | Reminds me of a statement put out by White Star Lines in 1912: | | "None of our passengers payment card details have been | compromised but at this stage, we understand that some of our | passengers personal lives may have been affected." | function_seven wrote: | The deck chairs appear to be arranged optimally at this time, | but we understand that other circumstances may reduce demand | for them. | pstrateman wrote: | Why would you even keep these on anything but archive media?? | zimpenfish wrote: | Perhaps they bring them out to show people who are considering | the same surgeries but haven't yet comitted? | | (Although I'd hope they obscure identifying details and get | permission from the original patients...) | tompazourek wrote: | The patient can come for a checkup or a related thing and they | want to be able to easily retrieve these if they want to check | something (or in case there's an issue of sorts). Having it all | in a single system is the easiest way to do that. | arkitaip wrote: | Because they are lazy, incompetent and indifferent. But they | might be against a very powerful and public group of people who | can sue them out of existence, so maybe that will scare other | health providers into better security practices. | sidlls wrote: | You hinted at it but didn't mention it explicitly: greedy. It | simply costs more to have somewhat better security practices, | and they don't want to pay unless they have to. | bigbubba wrote: | Lazy indifference probably explains it more than greed I | think. If they cared, a doctor could add _" burn a CD and | put it in the filing cabinet with the other patient | records"_ to the job duties of their secretary without | increasing their compensation. It would only take a few | more minutes, and would only slightly detract from the time | they spend idly chatting with each other. | | But they simply don't care. | ironmagma wrote: | Whether the cause is laze or greed, criminal consequences | would probably motivate people to actually care about | this stuff. | novok wrote: | More accurately, they are NOT tech professionals, the | type of people who do IT for small private practices are | not that good either and they really just don't know for | the majority of it. You really can't expect these people | to understand the full consequences of stuff like | encryption, offline vs online media and more. To them, if | it has a user name and password, that is safe right? Use | the HIPPA lockbox software and it should be good right? | | In the past before computers they would be putting these | in files on a large file folder shelving units with | colored folder tabs behind a counter and the only real | security was a receptionist that would stop you if you | tried to interact with it, and they locked the door to | the office when they left. If someone broke into the | office back then too, your medical records would've been | stolen & unencrypted (beyond the illegibility of most | doctor's handwriting) and as a society, we were ok with | that security level. | jeffbee wrote: | I don't want them to be tech professionals. I want them | to use the best in class tools they can get, which it | turns out are also the easiest to use and often the | cheapest. If this surgery practice had just kept their | photos on Google Drive with GSuite admin policy enforcing | 2FA, they would have been most of the way to gold | standard infosec and also would have dramatically better | real-world durability and availability. Any consultant | could have set them up that way in an hour. | novok wrote: | That doesn't protect against the kind of attack that | compromises the end point (wait for logged in 2FA state, | interact with browser in the background with exact same | state in a headless mode and download), and you do not | know when they set up their systems where Gsuite, 2FA & | HIPPAA / UK Equivalent agreements were even available | back then. | | For all you know, they could have had that system too, | the article does not say what it was. | jeffbee wrote: | These kinds of things never turn out to be that | sophisticated. It's always that they left the SMB port | open and the password was "password". | bigbubba wrote: | You're probably right that ignorance is the root of their | apathy. Hopefully with this event making the news, | doctors at least in the same specialty will hear about it | and do something. Unencrypted offline records physically | secured in the office building seems more than adaquate | in all but the most exceptional scenarios though. Maybe | it wouldn't be good enough for doctors of high-value | targets (celebrities, politicians, etc.) Burglars | targetting medical records seems uncommon. | | Harsh fines are probably the best way to make doctors | care though. If they know they risk financial ruin for | not securing their records, they'll have a strong | personal incentive to remediate their ignorance. | cratermoon wrote: | You'd think that, but... SolarWinds | ars wrote: | Keeping data on live hard disks costs quite a bit more than | archiving it to tape or DVD and sticking it in a file | cabinet. | jdeibele wrote: | There's a one-time purchase of bigger/more disks. Figure | 1GB (50 20MB pictures) per customer. Just add another | 2TB, then 4TB, now 8TB or bigger drive. That's about $250 | or $300 each time. Double that for a sync'd drive | somewhere in the office. | | Now they should be doing 3-2-1 backups. With S3 they'd be | paying $160/month (for storage, not counting other costs) | for 8TB or $40/month for BackBlaze B2. That's 8,000 | customers. | | They're in England so some variance in pricing. But it | would be relatively inexpensive to buy big drives, sync | them to a set in the office, and back them up online. | Where the doctors or whoever is running the clinics can | SEE the data is still there whenever they want. | | I agree that there should be increasing worry about | keeping information that you don't need, whether it's | intimate pictures of your surgical clients or people who | bought from you 5 years ago and not since. But it seems | like keeping things handy will be an impulse that's hard | to overcome. | novok wrote: | TBH DVDs / Blu-Rays are too low density, expensive and | labor intensive, and tape drives start at $1000 and most | non tech professionals don't know they even exist. 2.5TB | of 25 100GB writable BDXL disks cost about $250. A 4TB | drive costs $80 and a computer to throw in 3.5" HDDs | pretty cheap too. | adkadskhj wrote: | Maybe. Sounds like their incentive will be primarily to keep | _some_ records more safe. Eg i'm skeptical that this would | propagate to poor people, without legislation at least. | | _(which isn 't to say that they'd purposefully choose two | different implementations. Rather, just that if i'm using | poor person doctors i'm unsure they'd rise to the new | "standard" of security practices)_ | Aeronwen wrote: | "I'm a doctor, not a computer security expert, Jim!" | elliekelly wrote: | I didn't let my plastic surgeon take before and after photos | for this exact reason. I asked him whether it was necessary for | the procedure and what they were used for and he couldn't | really give me an answer beyond it's nice to be able to compare | the finished product. So I told him when I came back in for my | post-op I'd be more than happy to pull up a before picture on | my phone for him to use to admire his work. I even let him take | the "before" photo on my phone. I'm sure he thought I was a | paranoid tinfoil hat type but he really didn't seem to mind. | nwatson wrote: | Why does a software engineer keep old git-repo branches around, | including their history? The engineer can compare the before- | and-after especially as they relate to experiments, successful, | and failed approaches. | | A plastic surgeon might want to look at before-and-after for a | few of their "branches" (specific plastic surgeries or repeated | applications of a technique). "When I did celebrity-A I notice | they sag too much in location-X, whereas for celebrity-B where | I changed the procedure location-X looks much better." | "Celebrity-P has the same odd nose Celebrity-K had ... let me | consult my notes and the before/after for Celebrity-K." | [deleted] | EvanAnderson wrote: | Why does everybody keep data hanging around forever? It's | easier. You don't have to think about it. Just keep kicking the | files onto new media every few years / at a new server refresh. | | I did some IT work for a plastic surgery practice in the US | many years ago. I was adding some storage to an existing | server. I was shocked to see that the practice was keeping all | their before / after photos online going back years. Not | encrypted. Hanging out in Windows file shares with lax | permissions. | | It certainly gave me pause. | | Maybe some software providers in this space will think about | handling this better. | fabianhjr wrote: | What always amazes me is that credit card data is almost always | safe since VISA/MasterCard and others have very stringent | security requirements. (PCI DSS) | | There are some regulations regarding medical data (Eg, HIPAA) but | security seems like an afterthought in most hospitals at best. | Godel_unicode wrote: | Let's not go letting credit card processors off the hook, this | was barely a month ago. Part of our security team is | essentially full-time on dealing with the consequences of | actors using stolen credit cards. | | https://www.forbes.com/sites/billhardekopf/2020/11/13/this-w... | fabianhjr wrote: | From that article: | | > security researchers from Website Planet found that Cloud | Hospitality stored information from more than 10 million | travelers on an unsecured database with no password | protection. | | That will be taken by credit card companies as gross | negligence and breach of contract (they include PCI DSS | compliance on all contracts and a requirement that they do | the same for anyone that processes credit card data for them) | plus anyone going the legal route (and indeed there are | reports of a class action that mention PCI DSS compliance | explicitly) | | My original comment was more in regards the care and security | that is expected. | hahamrfunnyguy wrote: | I've done work in the medical industry, both for hospitals and | private software companies developing medical software. In my | experience; security, stability and compliance with HIPAA and | other regulations are taken very seriously. | xxs wrote: | That's UK, no HIPPA per se. Funny enough, the infamous GDPR | applies and data leaks are quite punishable. | | The Hospital Group is in a quite bad position: 1) the | blackmail, in no definition that's ransom. 2) The data leak | has to be reported and potentially they will get fined by the | state. | | As for taking regulation seriously, I guess it does depend on | the industry. Where I work GDPR and regulatory breaches are | treated more seriously than downtime. | Bukhmanizer wrote: | In my experience HIPAA is taken very seriously in the sense | that people are willing to have meetings _about_ HIPAA, with | furrowed brows and serious expressions and a lot of | signatures. Are the actual end-products more secure? No | probably not. Of course this probably varies drastically from | place to place. | jabits wrote: | Like you said, it may vary place to place, but you are | definitely more secure when complying with HIPAA than | without. The very act of discussing security within an | organization in a structured way is a good start. | | edit: missing word | fabianhjr wrote: | There are plenty of reports of hospitals using out-of-support | Windows versions (95-XP) with known vulnerabilities on | _networked connected_ devices. ( | https://nakedsecurity.sophos.com/2020/02/20/nearly-half- | of-h... ) | | On the parent comment I am not saying that hospitals aren't | HIPPA compliant but rather that the security expectations of | credit card data are higher than medical data. | speedgoose wrote: | Same. And we have external audits and experts checking what | we do. | OminousWeapons wrote: | Securing payments is much simpler than securing medical data in | many ways because payment processors are centralized entities | with established protocols for data transmission, where | communication is largely many (vendors) to one or few (the | processors), and where only one type of data is being moved. | Health care organizations are HIGHLY decentralized entities | where authentication is extremely difficult; where orgs employ | many different protocols and software stacks; where many | different types of data need to move freely between many orgs, | with various levels of sophistication, in many different | directions (patient to provider, provider to patient, provider | to provider, provider to payer, payer to provider, patient to | payer, payer to payer, provider to regulator, provider to | researcher, provider to vendor, etc), with few established | standards for how that is done (paper, phone, email, web | application, fax, API, snail mail, CD, hard drive, USB, etc), | with many people having access; and where organizations need to | be porous, with high turnover by design. It should also be | realized that a failure to access payment data or process a | payment results in lost business and headaches. A failure to | access medical data may kill someone, so tradeoffs between | confidentiality and availability are much more nuanced. | 542458 wrote: | Good comment, especially WRT trade off between | confidentiality and availability. Nonetheless, I do feel that | many of these items (few standards, little interchange, often | old tech, data decentralization) are primarily problems | because the vendors and hospitals don't really have strong | incentive to solve them. I do appreciate that the problem is | non-trivial, but I don't think that the problem would be | unsolvable should the appropriate incentives be put into | place. | radicalbyte wrote: | In the medical world you have standards (HL7, DICOM, XDS) | which are all about throwing large amounts of data around | hospital networks (and in the case of XDS - outside). It's a | castle with moat model of security - everything within the | network is trusted and they focus on keeping the bad guys | out. | | Obviously that's a horrible strategy and it delivers the | expected results.. | jrumbut wrote: | This is an amazing summary of the problem and why it remains | a problem. | tidepod12 wrote: | I've worked as a security consultant for healthcare companies | for years. The HIPAA Security Rule is a joke. The HIPAA | Security Rule requirements are extremely basic things like | "users must have their own login username rather than sharing | an account" or "data should be encrypted where appropriate" | (and it's left up to the company to decide where they think is | "appropriate". There's also zero requirements around the type | of encryption or implementation around it.. you could use a | Caesar cipher and probably pass a HIPAA audit). | | Yes, as the other commenter mentioned, hospitals do "take it | seriously" in the sense that they put a lot of importance on | passing HIPAA audits... but passing a HIPAA security audit is a | checkbox exercise for security controls that are a decade+ | outdated. It means absolutely nothing about an organization's | _actual_ security maturity. | cratermoon wrote: | Can confirm. Even the getting the ISO27001 certification is | mostly about checking boxes. In many cases an ISO27001 item | can be satisfied by picking one of several ways that standard | gives to claim it's not relevant. | popotamonga wrote: | All a joke, we tell the auditors what they want to hear, we | provide documents to prove the processses are implemented | as they should but then in practice nothing if followed but | they dont get to know that. | bladegash wrote: | You don't even have to check boxes for ISO 27001 these | days. All you need to do is pay "consultants" in certain | foreign countries about $5k and you magically receive your | certification. | hsbauauvhabzb wrote: | Can you elaborate? I'm not attempting to use them, it's a | useful tool when explaining 27001 doesn't mean jack. | ashishb wrote: | Private data is a toxic asset. Businesses should learn to purge | it regularly to minimize such damages. | jessaustin wrote: | One would think that if anyone had seen enough breasts, it | would have been a plastic surgeon. Maybe they preserved these | images for use in malpractice suits, but that's not a reason to | keep the images online. | underseacables wrote: | Are these photos really of interest to anyone? I think for most | people you can tell if they've had work done. I guess the | elephant in the room is breast augmentation, but I think it's | pretty easy to tell the difference between natural and bolt-on. | tompazourek wrote: | Lot of the photos might show private parts, and I think people | will feel violated when these are shared without their consent. | underseacables wrote: | But is it enough that the company should worry? It's not the | Fappening. I just think so what, it's tragic and Blackeye on | the company, but it's like stealing something with no value. | motoxpro wrote: | Pretty sure the company makes money by people going to get | plastic surgery. I'm not going to buy from a company where | my private pictures are leaked. Reputation is valuable. The | pictures might not be valuable to you, but a lot of people | pay for "leaked" celebrity photos, of which the company has | a lot of. | traceddd wrote: | Should the celebs worry? Probably not. Should the company | worry? Yes, they'll have a name for that surgeon who leaks | your medical documents and doesn't really care enough to | pay to keep your privacy. There are other good surgeons out | there, probably right next door. Customers will be more | likely to choose someone else. | draw_down wrote: | This is just denial | reiderrider wrote: | Do hacker groups have positive track records of not sharing their | stolen data? It's ironic to pay and then rely on trusting them. | wolco2 wrote: | Yes even if you don't pay because unless revenge is part of the | target attacking you they just wastes time with no gain. | Miner49er wrote: | Yes, otherwise people would stop paying them. However, I | wouldn't be surprised if once they make enough money, they do a | type of exit scam: sell anything they can, then leave the | business. It happens often in dark net markets. | ryanlol wrote: | Most stolen data is very hard to sell for meaningful amounts. | Such an "exit scam" would be a waste of time, you'd make more | money by just ransoming one more company. | | When you're earning (tens of) millions by extorting companies | you aren't going to be very interested in selling their data | for tens or hundreds of thousands. | Miner49er wrote: | True, it's probably not worth the time unless they've | stolen some very valuable data. Obviously things like | plastic surgery pics wouldn't be worth much of anything. | washadjeffmad wrote: | Depends on the clients. I remember a case where a family | that hid their daughter's cosmetic surgeries had the | marriage annulled when it was discovered by the groom's | much wealthier family. | | So a lucrative target might be someone who traveled from | outside the US to have work done to hide it, especially | if they were relatively young. | ryanlol wrote: | It's always possible to come up with an extremely | unlikely scenario where the data would he be | extraordinarily valuable, but nobody is going to bet | hundreds of thousands (or millions, to actually make it | worth it for the ransomware gang) to buy the data. | LinuxBender wrote: | Exception would likely be pictures of celebrities. Their | managers would not want those being distributed and would | sue whoever they could. | ryanlol wrote: | Again, that's only good for extortion. Only worth tens of | thousands if you're going to sell them. | LinuxBender wrote: | Agreed. Otherwise they would just be dumped on the web or | put behind paywalls of dodgy sites. | Timpy wrote: | > The Hospital Group, which has a long list of celebrity | endorsements, has confirmed the ransomware attack. | | This isn't a ransomware attack, they're not encrypting the | company's drives and demanding a ransom to unencrypt them. Not | every "I hacked you now pay me or bad things happen" situation is | ransomware. | jahewson wrote: | Extortionware would be appropriate. | smarx007 wrote: | What you are talking about are cryptolockers and they are a | subset of ransomware. Not all ransomware are cryptolockers. In | this case, ransomware exfilled the data without a need for | cryptolockers. They are still asking for a ransom. | bigbubba wrote: | They're not using cryptography, but aren't they demanding | ransom? Is the use of cryptography an essential part of what it | means for something to be ransomware, or is it merely a common | implementation detail? | flyGuyOnTheSly wrote: | They are demanding a ransom, but Ransomware has a commonly | accepted definition which requires encrypting files and | demanding payment to decrypt them. [0] | | [0] https://en.wikipedia.org/wiki/Ransomware | zimpenfish wrote: | The very first sentence of that link would include this | under "ransomware" | | > Ransomware is a type of malware from cryptovirology that | _threatens to publish the victim 's data_ or perpetually | block access to it unless a ransom is paid. | | (added emphasis) | flyGuyOnTheSly wrote: | That's a single sentence pulled from a very long | definition, though. | | Here's the third sentence from that very same paragraph: | | >It encrypts the victim's files, making them | inaccessible, and demands a ransom payment to decrypt | them. | | Not everything can be explained in a single sentence. | tompazourek wrote: | They are not demanding ransom. Ransom is (per Merriam | Webster): "a consideration paid or demanded for the release | of someone or something from captivity". | | They copied the data, and they want money _otherwise_ they | will release it. It 's ordinary blackmail. | bigbubba wrote: | Perhaps you could say they are ransoming the exclusive | ownership of the data. But yes, 'blackmail' seems like a | better fit. | curryst wrote: | > They're not using cryptography, but aren't they demanding | ransom? | | No, a ransom is a fee paid for the release of something you | value. Cryptography is one way to take a user's data, and | release it back to them on payment. | | This is blackmail. They want payment to _not_ release | something. | heavyset_go wrote: | It's blackmail. | ajay-b wrote: | Against whom? Where is the profit mechanism? Are the | hackers really prepared to track down every patient and try | to blackmail them? It's like the emails you get some times | from hackers that have an old password of yours and | threaten to release that video of you pleasuring yourself. | Seriously? | derivagral wrote: | To me, ransomware attacks are specifically "the malware got | in and turned all my data to mush; the attacker doesn't care | about my data, just that I'll pay to un-mush it." | | This is "the malware got in and sent copies back home; now | home base is threatening release and expecting payment to | prevent it." To me, this is blackmail done via hacking, not | ransomware. | Godel_unicode wrote: | Fwiw, many actors doing the former are also doing the | latter. If someone paid you once to unencrypt, presumably | they'll pay you again to not disclose the data. The line | between those two business models is pretty blurry. | jMyles wrote: | Ransom usually means, "I have some(one|thing) of yours, and if | you _want it back_ , you need to pay me." | | Calling this "randomware" subtly blurs the line between copying | and stealing. The attackers here didn't remove access to the | data (clearly stealing), they made a copy (clearly a crime | other than stealing, at least in my view). | | It's more like blackmail than kidnapping. | throw14082020 wrote: | Timpy :P, your understanding of Ransomware is different to | Wikipedias: | | > Ransomware is a type of malware from cryptovirology that | threatens to publish the victim's data or perpetually block | access to it unless a ransom is paid. | Timpy wrote: | If this is the definition of ransomware then I was indeed | incorrect. I understood ransomware to be "threatens to | perpetually block access to data" only. | libria wrote: | No I agree with your initial statement. The victim is not | deprived of data or normal operation. As stated elsewhere | it's blackmail. | | Adding: Wikipedia is also not necessarily authoritative. | g_p wrote: | When companies started restoring from their (new and | existing!) backups when hit by ransomware, the ransomware | authors looked at what would impact their "clients" the | most -- if preventing them getting access to their data | wasn't enough to make them pay up, then exposing their data | and turning it into a breach that results in regulatory | action helps them commercialise their "access". | | I think in a way, ransomware authors are following the | "free market" approach, trying to best monetise their | unauthorised access to other people's IT systems. Perhaps | the prevalence of ransomware will eventually help | businesses to properly cost in the risk of security to | their business, and get their security in order, as there's | a tangible cost threat? | calvinmorrison wrote: | So at this point it's just a normal Ransom. There's no | 'wares' doing it. Someone stealing something does not make | it ransomware. | celticninja wrote: | REvil is ransomware that locks you out but first | exfiltrates your data. Then the attackers have 2 points | of leverage, lock out which you may be able to circumvent | with a safe backup process but that won't protect you | from the release of your data. This gives the attacker 2 | nites at the cherry when trying to convince you to pay. | jolmg wrote: | Since we're discussing word choices and definitions, I'd | argue that it's not stealing either if the Hospital | retained possession of the data. It might be better said | that they "obtained without authorization" or "illegally | obtained". | | What makes "stealing" particularly bad is that the | rightful owner no longer has possession of their | property. That's not necessarily the case with data. | tomc1985 wrote: | This sort of thing is why people need to stop thinking | that the digital world is analogous to our analog one. | | In digital, information wants to be free and many kinds | of resources are effectively unlimited. There is no | material scarcity. Therefore, theft, in the digital | world, can't be the same as it is in our analog world. | | To be fair, this also applies to copyright and peoples' | foolish notion that they can protect data without a great | amount of preventing otherwise normal "physiological" | processes. (Ironically, rather than having a wake-up | moment where people realize their folly, we've | institutionalized these resource-scarcity regimes into | resource-abundant versions in the digital world) | | To summarize, info wants to be free, and since theft | requires _extra_ effort to deprive someone of what you | stole, does that definition of theft really apply here? | Or does it need to change given the context? And, as a | secondary point, people like to think they can protect | data but their brains are stuck in our analog, resource- | scarce world | young_unixer wrote: | Stealing would be breaking into their premises and taking | the computers. Obtaining data isn't stealing. | pc86 wrote: | > _Obtaining data isn 't stealing._ | | What is it then, if you don't have the legal right to the | data? | __MatrixMan__ wrote: | If some law prevents you from having access to some data, | then presumably that law has a name for whatever the | crime is. | | It's not like we need the law to explicitly allow types | of access. Anything not explicitly disallowed is allowed | without a special name. | | "Stealing" happens when the original owner is deprived of | the thing. | riffraff wrote: | but it's not even ransom, "ransom" is the situation where | something/someone is held until money is payed and then | it's returned. | | There is nothing being returned here, since the hospital | has not lost access to the data, and the threat is that | private data will be published. | | This is just blackmail. | tertius wrote: | What has been lost of the privacy of the data, which can | be returned. | plorkyeran wrote: | No, it can't. It is impossible for the blackmailers to | prove that they no longer have a copy of the data. | threatofrain wrote: | If somebody breaks into a psychiatrist's office and threatens | the release of embarrassing or sensitive data unless there's | payment, isn't that just classic blackmail? | BoorishBears wrote: | ... what? | | What moral question? | | This thread is someone questioning calling it was a | ransomware attack, it was one. Being a ransomeware attack | doesn't preclude it from being blackmail, and I don't think | anyone you replied to has questioned the morality of it... | [deleted] | ajay-b wrote: | The payoff for hackers seems too low here, why was this even a | target? Kids and too much free time? | 29athrowaway wrote: | They can collect the money and leak the information anyways. | tompazourek wrote: | If they leak the photos after they get the money, they might | have less chance of getting the money next time. | | They probably don't care for the photos. They care about making | money and want to keep making money in the future. | powersnail wrote: | They might not want to keep making money in the future. | Sometimes, they score something big and leave the business. | tompazourek wrote: | Maybe you're right, but it still feels to me that leaking | the pictures will not benefit the scammers much. They might | have connections to other people that are still in the | business and they'd harm them indirectly by leaking after | getting paid. Why make more enemies? Also, why put more | attention onto themselves after they already succeeded? | Some people have very strange reasons they do things, but I | still don't think it's likely. I think these things are | organized with the top priority of minimizing the risk of | getting caught. | anigbrowl wrote: | You're assuming they're rational in this regard, but not | rational enough to change their identity or select a | different class of target in the future. | sib wrote: | "It's understood that many before and after pictures will not | include the patients' faces." | | What kind of pointless statement is this? What is "many"? And | does that imply that "many," "most," or "only a few" pictures | _will_ include the patients ' faces? | elliekelly wrote: | Photos of facial surgery are more likely to be identifiable | (nose, cheeks, chin, lips, eyes/eyebrows) while photos of | bodily surgery (breasts, arms, stomach, etc.) won't include the | patient's face. Its probably up to the doctor's photograph | preference what types of facial photographs are identifiable | and how close/far the zoom is when they take the picture. | anonymfus wrote: | _> It has 11 clinics specialising in bariatric weight loss | surgery, breast enlargements, nipple corrections and nose | adjustments._ | | I guess pictures of nose adjustment patients most certainly | include faces, and pictures of nipple corrections probably | don't. | Waterluvian wrote: | Until these breaches result in lawsuits and maybe even criminal | charges that result in complete dissolution of the corporation to | pay out, these events will never stop happening. ___________________________________________________________________ (page generated 2020-12-24 23:00 UTC)