Steven J. Pearlman MD PC Data Breach: 10,182+ Patients Affected

On November 9, 2025, Steven J. Pearlman MD PC, operating as Pearlman Aesthetic Surgery, reported a significant data breach to the U.S. Department of Health and Human Services (HHS). This Manhattan-based facial plastic and reconstructive surgery practice disclosed that a hacking incident compromised the protected health information of over 10,000 patients.

What Happened

Steven J. Pearlman MD PC discovered that unauthorized individuals had accessed sensitive data within their network systems. The breach was classified as a "Hacking/IT Incident" that specifically targeted the practice's network server infrastructure.

The practice filed official notice of the data breach with the HHS Office for Civil Rights on November 9, 2025, the same day they discovered the incident. This prompt reporting demonstrates compliance with HIPAA's breach notification requirements, which mandate reporting within 60 days of discovery.

Interestingly, there appears to be a discrepancy in the reported numbers. While the HHS Wall of Shame lists 10,182 affected individuals, the original disclosure indicated that 11,764 current and former patients across the United States were impacted by this security incident.

Who Is Affected

The breach impacted over 10,000 current and former patients of Pearlman Aesthetic Surgery, a well-established facial plastic and reconstructive surgery practice located in Manhattan, New York. The affected individuals span across the United States, indicating that the practice serves patients from multiple states.

Patients who received services from Steven J. Pearlman MD PC and had their information stored in the practice's network systems are potentially affected by this breach. The practice has begun the process of notifying impacted individuals about the incident, as required under HIPAA regulations.

Breach Details

The breach occurred through unauthorized access to the practice's network server, where sensitive patient information was stored. Based on the available information, the compromised data may include:

• Patient names
• Personal information
• Protected health information (PHI)

The specific technical details of how the hackers gained access to the network server have not been disclosed. Without additional information from the practice, it's unclear whether this was a ransomware attack, data theft operation, or another type of cybercriminal activity.

The location of the breach being identified as the "Network Server" suggests that the attackers successfully penetrated the practice's IT infrastructure, potentially gaining access to centralized patient databases and file systems.

What This Means for Patients

For the thousands of patients affected by this breach, the exposure of personal and protected health information poses several risks:

Identity Theft Risk: With access to names and personal information, cybercriminals could potentially use this data for identity theft or fraud schemes.

Medical Privacy Violations: The exposure of protected health information represents a significant privacy breach, potentially revealing sensitive medical procedures and treatments.

Future Targeting: Patients may become targets for additional scams or phishing attempts, as cybercriminals often sell stolen healthcare data on the dark web.

Insurance Fraud: Healthcare information can be used to commit insurance fraud or obtain medical services under false identities.

The fact that this breach affected a specialized practice focusing on facial plastic and reconstructive surgery could make the exposed information particularly sensitive, as it may reveal details about cosmetic procedures that patients prefer to keep private.

How to Protect Yourself

If you are a current or former patient of Steven J. Pearlman MD PC, consider taking these protective steps:

Monitor Your Accounts: Regularly check your bank accounts, credit cards, and insurance statements for unauthorized activity.

Review Medical Records: Monitor your medical records and insurance claims for any unfamiliar services or treatments that could indicate medical identity theft.

Stay Alert for Scams: Be cautious of unsolicited communications claiming to be related to the breach, as scammers often exploit data breach situations.

Consider Credit Monitoring: While it's unclear if the practice is offering credit monitoring services, consider enrolling in credit monitoring to detect potential identity theft.

Update Security Measures: Use strong, unique passwords for all online accounts and enable two-factor authentication where available.

Report Suspicious Activity: If you notice any unusual activity that could be related to the breach, report it to the appropriate authorities and financial institutions immediately.

Prevention Lessons for Healthcare Providers

This breach at Steven J. Pearlman MD PC highlights critical cybersecurity vulnerabilities that healthcare providers must address:

Network Security: Healthcare practices must implement robust network security measures, including firewalls, intrusion detection systems, and regular security audits.

Access Controls: Implementing strict access controls and authentication mechanisms can prevent unauthorized individuals from accessing sensitive patient data.

Regular Updates: Keeping all software, operating systems, and security patches up to date is essential for preventing known vulnerabilities from being exploited.

Employee Training: Staff should receive regular cybersecurity training to recognize phishing attempts, social engineering tactics, and other common attack vectors.

Incident Response Planning: Having a comprehensive incident response plan ensures that breaches are detected quickly and proper notification procedures are followed.

Data Encryption: Encrypting stored data and data in transit provides an additional layer of protection even if systems are compromised.

Business Associate Agreements: Ensuring that all third-party vendors handling PHI have proper security measures and signed business associate agreements is crucial.

The healthcare industry continues to be a prime target for cybercriminals due to the valuable nature of medical data. Small and medium-sized practices, in particular, may lack the extensive cybersecurity resources of larger health systems, making them attractive targets for hackers.

This incident serves as a reminder that no healthcare organization is immune to cyber threats, and proactive security measures are essential for protecting patient privacy and maintaining HIPAA compliance.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.