Neinstein Plastic Surgery Data Breach: Patient Info Exposed

Neinstein Plastic Surgery PLLC, a New York City-based plastic surgery practice specializing in liposuction, body contouring and breast procedures, has disclosed a data breach involving unauthorized access to a company email account. The breach exposed sensitive personal and medical information belonging to patients, prospective patients and other individuals connected to the practice.

The practice disclosed the breach to the Massachusetts Office of Consumer Affairs and Business Regulation. Neinstein Plastic Surgery sent notification letters to affected individuals on April 6, 2026.

The total number of individuals affected remains undisclosed, although 21 residents of Massachusetts were affected.

What happened in the Neinstein Plastic Surgery data breach

Neinstein Plastic Surgery first became aware of a data security incident affecting one of its email accounts on Dec. 2, 2025. The practice initiated an investigation to understand the scope and nature of the event.

Through the investigation, the practice determined that an unauthorized third party had access to the email account from Nov. 12, 2025, through Nov. 20, 2025.

The investigation continued for several months after the initial discovery. On Feb. 20, 2026, the practice confirmed that certain files within the compromised email account contained personal information that may have been exposed during the breach.

The types of information that may have been exposed vary by individual but include names, dates of birth, contact information, driver's license or passport numbers, health insurance information, clinical information (such as healthcare provider names, medical diagnoses and treatment details), credit card or financial account information and Social Security numbers.

Neinstein Plastic Surgery's response to the breach

The practice is offering one year of complimentary identity protection services through Experian IdentityWorks. The membership includes several features designed to detect and address identity theft. These include credit monitoring on the Experian credit file, access to an Experian credit report at signup and daily credit reports for those who enroll online.

The Experian IdentityWorks membership also includes identity restoration services. The membership also provides $1 million in identity theft insurance to cover certain costs and unauthorized electronic fund transfers.

Affected individuals must enroll by June 30, 2026, to activate their membership. Enrollment is available online at the Experian IdentityWorks website using the activation code provided in the notification letter.

The practice has set up a dedicated phone line for affected individuals who have questions about the incident. The number is 1-833-918-4089, available Monday through Friday from 8 a.m. to 8 p.m. Central time.

Steps to take if your information was exposed

• Place a credit freeze with all three major credit bureaus by contacting Equifax (1-800-685-1111), Experian (1-888-397-3742) and TransUnion (1-888-909-8872) to help prevent new accounts from being opened without consent.
• Request free credit reports at AnnualCreditReport.com and review them closely for unfamiliar accounts, unauthorized inquiries or inaccurate personal details.
• Review financial account and credit card statements regularly and report any suspicious or unrecognized transactions to the relevant financial institution right away.
• Monitor Explanation of Benefits statements from health insurers for services not received, as exposed medical information could be used for medical identity theft.
• Be cautious of phishing attempts that reference Neinstein Plastic Surgery or this breach by name, since scammers sometimes exploit real breach notifications to trick people into sharing additional personal information.
• Consider placing a fraud alert with one of the three credit bureaus, which will then notify the other two and require businesses to take extra steps to verify identity before issuing new credit.