Shamis & Gentile P.A., a law firm specializing in data breach class actions, is currently investigating a significant data breach at Austin Plastic & Reconstructive Surgery. The unauthorized access occurred between June 30 and July 1, 2025, but wasn’t discovered until February 28, 2026—more than seven months later.
Patients were formally notified on March 11, 2026. This investigation is particularly serious because the attacker had already posted patient data to the Tor network on August 10, 2025, meaning sensitive information was exposed long before the medical facility even knew a breach had occurred.
Table of Contents
- What Was Breached in the Austin Plastic & Reconstructive Surgery Data Breach?
- How Long Did the Attacker Have Access to Patient Data?
- What Legal Action Are Shamis & Gentile P.A. Taking?
- What Compensation Are Affected Patients Entitled To?
- What Protection and Monitoring Are Being Offered?
- What Security Improvements Has the Facility Implemented?
- What’s Next for Affected Patients?
What Was Breached in the Austin Plastic & Reconstructive Surgery Data Breach?
The breach exposed a comprehensive set of personal and medical information for affected patients. Names, addresses, phone numbers, and email addresses were compromised, along with more sensitive identifiers including dates of birth, driver’s license and state ID numbers, passport numbers, and Social Security numbers.
Beyond identity information, the attacker also accessed financial account information and complete medical records. For patients at a cosmetic surgery center, this medical data includes detailed health histories, treatment records, surgical notes, and health insurance information—data that could be used for identity theft, insurance fraud, or targeted extortion. The scope of this breach is particularly damaging compared to incidents that expose only contact information; this is a full-profile breach that gives criminals everything needed to commit identity theft or medical fraud.
How Long Did the Attacker Have Access to Patient Data?
The timeline of this breach reveals a critical security failure. While the unauthorized access lasted only about two days (June 30 – July 1, 2025), the attacker had moved the data to the Tor network by August 10, 2025—more than a month later. Austin Plastic & Reconstructive Surgery didn’t discover the breach until February 28, 2026, which means the facility was unaware for over seven months that patient data had been stolen and publicly exposed on the dark web.
During this eight-month window, affected patients had no notice that their information was already being used or sold by criminals. This delay in discovery is a significant issue because it means patients lost critical months during which they could have taken proactive steps like freezing their credit or monitoring accounts. Many healthcare providers detect breaches within weeks; the extended timeline here suggests the facility had limited breach detection capabilities.
What Legal Action Are Shamis & Gentile P.A. Taking?
Shamis & Gentile P.A. is investigating whether the breach affected patients have grounds for a class action lawsuit against Austin Plastic & Reconstructive Surgery. Class actions for healthcare data breaches typically focus on negligence claims—did the facility fail to implement reasonable security measures?—and breach of contract or fiduciary duty claims.
The law firm can be reached at 833-877-7496 (Monday-Friday, 8:00 AM – 8:00 PM CT) for affected patients who want to discuss their case or learn more about the investigation. A successful class action would require proving that the facility’s security practices fell below industry standards or that they failed to respond appropriately to the breach once discovered. Some class actions also include claims about inadequate notification delays, since patients didn’t find out about the breach until nearly eight months after the initial exposure.
What Compensation Are Affected Patients Entitled To?
Patients affected by the Austin Plastic & Reconstructive Surgery breach may be entitled to compensation for harm or risk of harm they’ve experienced. Compensation in healthcare data breach class actions typically covers several categories: out-of-pocket expenses (for credit monitoring, identity theft recovery, time spent protecting yourself), emotional distress from having sensitive medical data exposed, and statutory damages where applicable.
However, patients should understand that proving “harm” in a data breach case is complicated; many courts have ruled that exposure to risk of future identity theft alone (without actual fraudulent charges) may not be sufficient grounds for compensation, depending on the state. Cases where patients can demonstrate actual damage—fraudulent accounts opened, unauthorized medical services billed, or extortion attempts—have stronger claims for monetary recovery. The specific compensation available will depend on the strength of the negligence claims and whether a class action is certified and reaches settlement.
What Protection and Monitoring Are Being Offered?
Austin Plastic & Reconstructive Surgery has committed to providing complimentary credit monitoring and identity theft protection services to all affected individuals. This is an important benefit but comes with limitations. Credit monitoring typically alerts you to new accounts opened in your name or significant credit inquiries, but these services are reactive; they notify you after suspicious activity has been detected, not before.
Additionally, credit monitoring covers credit bureau inquiries but doesn’t protect against medical identity theft, where criminals use stolen health insurance information to obtain prescription drugs or fraudulent medical services. For patients in this breach, the most critical step is to proactively freeze their credit with the three major bureaus (Equifax, Experian, and TransUnion) to prevent unauthorized account opening. While the free monitoring service is helpful, it shouldn’t be your only protective measure.
What Security Improvements Has the Facility Implemented?
The healthcare provider has announced that enhanced security measures have been implemented to prevent future incidents. However, the specific details of these improvements have not been publicly disclosed. This is common after breaches—healthcare facilities often keep security enhancements confidential to avoid revealing gaps to potential attackers.
The real question for patients is whether the improvements are sufficient. Given that the initial breach went undetected for over seven months, at minimum the facility should have implemented stronger monitoring systems to catch unauthorized data access in real time. Industry best practices now include automated alerts for unusual database access patterns, encryption of sensitive patient data, and regular penetration testing. Without knowing specifically what Austin Plastic & Reconstructive Surgery has deployed, affected patients cannot fully assess whether future breaches are less likely.
What’s Next for Affected Patients?
If you received a breach notification letter from Austin Plastic & Reconstructive Surgery or believe you were a patient there during the access window (June 30 – July 1, 2025), the first action is to contact the investigation hotline at 833-877-7496 to discuss your potential involvement in the class action. Simultaneously, take protective steps: place a credit freeze with Equifax, Experian, and TransUnion; monitor your credit reports for suspicious activity; and watch for unexpected medical bills, insurance claims, or collection notices.
The investigation and potential class action settlement process typically takes 12 to 18 months from start to resolution, so affected patients should prepare for a longer timeline. Staying in contact with Shamis & Gentile P.A. ensures you remain informed of developments and claim deadlines.