The before and after photos of thousands of plastic surgery patients in Europe were recently left vulnerable but since rectified, researchers at vpnMentor wrote in a blog post.
The researchers, led by Noam Rotem and Ran Locar, discovered on Jan. 24 that NextMotion did not secure or encrypt the body images and PII of people whose doctors and clinics with which it worked since 2015.
Next Motion, which serves 170 clinics worldwide
in 35 countries, confirmed on its website’s data security section that it
learned from a security firm on Jan. 27 that
as a result of its tests on randomly selected companies it managed to access its
information system and informed the company of a potential risk of intrusion.
“They were able to extract videos and photos from some of our patients’ files,” wrote NextMotion CEO Emmanuel Elard, who apologized for the “fortunately minor incident,” prompting it immediately to take “corrective steps.”
Elard insisted the
impacted “data had been de-identified – identifiers, birth dates, notes, etc. –
and thus was not exposed.”
The private personal
user data vpnMotion viewed included: invoices for treatments; outlines for
proposed treatments; video files, including 360-degree body and face scans; and
patient facial, “very graphic” body, breast and genital profile photos, which
are shown, albeit obscured, on the blog post.
“This incident only reinforced our ongoing concern to protect your data
and your patients’ data when you use the Nextmotion application,” said Elard,
adding that all data is stored in France in a secure HDS
(personal data hosting) compliant medical cloud.
vpnMentor research team discovered the breach in NextMotion’s database as part
of a huge web mapping project,” stated the blog post. Its
researchers use port scanning to examine particular IP blocks and test open
holes in systems for weaknesses, and investigate each hole for data being
NextMotion said its application and data management practice were
audited in 2018 by a GDPR (General Data Protection Regulation) specialized law
firm, in order to ensure its compliance with the data regulation which came
into effect in 2019.
vpnMentor noted NextMotion
used an Amazon Web Services (AWS) S3 bucket database to store patient image
files and other data, “but left it completely unsecured,” gaining access to
almost 900,000 individual files, including
highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological
treatments, and consultations performed by clinics using
NextMotion’s proprietary technology.
viewable S3 buckets are not a flaw of AWS,” vpnMentor noted. “They’re usually the result of an error
by the owner of the bucket,” the security firm stated, adding that Amazon
provides detailed instructions to AWS users to help them secure S3 buckets and
keep them private.
In the case of NextMotion, vpnMentor advised the
quickest way to fix this error would be to:
- Reconfigure the S3 bucket’s settings to be more secure.
- Make the bucket private and add authentication protocols.
- Follow AWS access and authentication best practices.
- Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.