The before and after photos of thousands of plastic surgery patients in Europe were recently left vulnerable but since rectified, researchers at vpnMentor wrote in a blog post.
The researchers, led by Noam Rotem and Ran Locar, discovered on Jan. 24 that NextMotion did not secure or encrypt the body images and PII of people whose doctors and clinics with which it worked since 2015.
Next Motion, which serves 170 clinics worldwide in 35 countries, confirmed on its website’s data security section that it learned from a security firm on Jan. 27 that as a result of its tests on randomly selected companies it managed to access its information system and informed the company of a potential risk of intrusion.
“They were able to extract videos and photos from some of our patients’ files,” wrote NextMotion CEO Emmanuel Elard, who apologized for the “fortunately minor incident,” prompting it immediately to take “corrective steps.”
Elard insisted the impacted “data had been de-identified – identifiers, birth dates, notes, etc. – and thus was not exposed.”
The private personal user data vpnMotion viewed included: invoices for treatments; outlines for proposed treatments; video files, including 360-degree body and face scans; and patient facial, “very graphic” body, breast and genital profile photos, which are shown, albeit obscured, on the blog post.
“This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application,” said Elard, adding that all data is stored in France in a secure HDS (personal data hosting) compliant medical cloud.
“The vpnMentor research team discovered the breach in NextMotion’s database as part of a huge web mapping project,” stated the blog post. Its researchers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses, and investigate each hole for data being leaked.
NextMotion said its application and data management practice were audited in 2018 by a GDPR (General Data Protection Regulation) specialized law firm, in order to ensure its compliance with the data regulation which came into effect in 2019.
vpnMentor noted NextMotion used an Amazon Web Services (AWS) S3 bucket database to store patient image files and other data, “but left it completely unsecured,” gaining access to almost 900,000 individual files, including highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s proprietary technology.
“Open, publicly viewable S3 buckets are not a flaw of AWS,” vpnMentor noted. “They’re usually the result of an error by the owner of the bucket,” the security firm stated, adding that Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
In the case of NextMotion, vpnMentor advised the quickest way to fix this error would be to:
- Reconfigure the S3 bucket’s settings to be more secure.
- Make the bucket private and add authentication protocols.
- Follow AWS access and authentication best practices.
- Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.