Plastic Surgery Records Leaked Online
NextMotion is a French plastic surgery technology company that develops imaging and patient management software. Their imaging software creates before and after photos and videos of patients. Doctors and clinics in approximately 35 different countries use these images to show patients the expected end results and to follow up patients during and after treatment.
Phishing, Blackmail and Fraud
Some of the exposed images are highly sensitive. They include 360-degree photos of patients’ faces and the specific areas of their bodies being treated. Besides graphic files, the security researchers also found invoices, prescriptions, treatment details, costs of procedures as well as time stamps. The biggest concern, according to the security researchers, are the privacy and security issues it would have created for the patients themselves. “Aside from the incredibly sensitive and intimate nature of the files exposed, they also made those affected vulnerable to numerous forms of fraud, theft, and online attack.” If hackers gain access to such databases, they could steal the information to target patients or the clinic. This actually happened in November 2019 at the Center of Facial Restoration in Florida. In October 2017, another breach affected plastic surgery patients at the London Bridge Plastic Surgery Clinic.
“Only” Media Database Exposed
In an official statement, NextMotion explained that they store images in a specific media database. This database is separate from the patients’ personal data database, which includes names, birth dates, notes, etc. “Only the media database was exposed, not the patients’ database”, the company emphasized. Although the S3 bucket is now secured, the breach could have easily been prevented. Just some basic security procedures, such as securing servers and using correct server access rules, would have been sufficient.