Plastic Surgery Patient Photos, Info Exposed by Leaky Database
by Sergiu Gatlan
Hundreds of thousands of documents with plastic surgery patients' personal information and highly sensitive photos were exposed online by an improperly secured Amazon Web Services (AWS) S3 bucket.
NextMotion is a French plastic surgery tech firm that provides imaging and patient management services that help 170 plastic surgery clinics from 35 countries document, digitize and market their practices.
The company promises to the clients' "before & after imaging issues, reassure your patients, simplify your data management and improve your e-reputation."
"Nextmotion is an ecosystem based on a medical cloud which allows you to sort, store and access your data wherever you are," the company's site says.
"In that sense, all your data is covered with the highest requested security level as it is hosted in France on servers authorized by the Haute Autorité de Santé (French Health Authority) - in our case, AWS who is certified."
Graphic photos of patients exposed
The bucket was used by NextMotion to store roughly 900,000 files with highly sensitive patient images and videos, as well as plastic surgery, dermatological treatments, and consultation documents.
After analyzing the open S3 bucket discovered on January 24 in collaboration with vpnMentor more closely, security researchers Noam Rotem and Ran Locar found outlines and invoices for cosmetic treatments, videos of 360-degree body and face scans, as well as patient photos that, in some cases, were graphic snapshots of genitals, breasts, and more.
All these files were uploaded by NextMotion clients using the company's medical imaging solution to the unsecured database.
While there is no way to know the exact number of patients that had their information exposed, the hundreds of thousands of files found in the S3 bucket hint at thousands of patients having their sensitive data exposed.
PII data also exposed
NextMotion's CEO said in a press release that the patient data stored in the leaky database "had been de-identified - identifiers, birth dates, notes, etc. - and thus was not exposed."
However, "the exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients," as the two researchers explained.
"This type of data can be used to target people in a wide range of scams, fraud, and online attacks," their report also added.
"We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared," NextMotion says.
"This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application."
As a reminder, all your data is stored in France, in a secure HDS (personal data hosting) compliant medical cloud. Our application and our data management practice were audited in 2018 by a GDPR (General Data Protection Regulation) specialized law firm, in order to ensure our compliance with the data regulation which came into effect in 2019. - CEO of NextMotion
Previous incidents impacting plastic surgery patients
This is not the first time the sensitive personal information of plastic surgery patients might have landed in the wrong hands following a security incident.
In 2017, the London Bridge Plastic Surgery clinic issued a data breach statement saying that The Dark Overlord (TDO) hacking group was able to steal patient information and highly sensitive photos.
The AZ Plastic Surgery Center notified 5,524 patients in February 2019 that some of their protected health information (PHI) may have been accessed by TDO.
Later last year, in early November 2019, The Center for Facial Restoration reported to the U.S. Department of Health and Human Services that the PII of up to 3,600 patients may have been stolen in a hacking incident.