During tests on randomly selected companies, security researchers discovered a database containing 100,000s of plastic surgery patients’ files. The documents were stored in an unsecured Amazon S3 bucket. The images of patients’ faces and private parts of their bodies were uploaded to Amazon S3 via NextMotion’s proprietary software.
Plastic Surgery Records Leaked Online
NextMotion is a French plastic surgery technology company that develops imaging and patient management software. Their imaging software creates before and after photos and videos of patients. Doctors and clinics in approximately 35 different countries use these images to show patients the expected end results and to follow up patients during and after treatment.
The information can be uploaded to NextMotion’s Amazon S3 bucket. Amazon S3, also known as Amazon Simple Storage Service, is a service offered by Amazon Web Services to store any type of information in the cloud. In theory, an S3 bucket is a safe place to store any kind of information. Amazon offers a range of flexible security features by default to block unauthorized users from accessing data.
However, during a random search, security researchers Noam Rotem and Ran Locar were able to access and extract media from patients’ files. In total almost 900,000 individual files were exposed. They quickly identified NextMotion as the potential owner and consequently contacted the company within days. A week later, on January 30, they warned Amazon and on February 5, the S3 bucket was secured.
Phishing, Blackmail and Fraud
Some of the exposed images are highly sensitive. They include 360-degree photos of patients’ faces and the specific areas of their bodies being treated. Besides graphic files, the security researchers also found invoices, prescriptions, treatment details, costs of procedures as well as time stamps.
The biggest concern, according to the security researchers, are the privacy and security issues it would have created for the patients themselves. “Aside from the incredibly sensitive and intimate nature of the files exposed, they also made those affected vulnerable to numerous forms of fraud, theft, and online attack.”
If hackers gain access to such databases, they could steal the information to target patients or the clinic. This actually happened in November 2019 at the Center of Facial Restoration in Florida. In October 2017, another breach affected plastic surgery patients at the London Bridge Plastic Surgery Clinic.
“Only” Media Database Exposed
In an official statement, NextMotion explained that they store images in a specific media database. This database is separate from the patients’ personal data database, which includes names, birth dates, notes, etc. “Only the media database was exposed, not the patients’ database”, the company emphasized.
Although the S3 bucket is now secured, the breach could have easily been prevented. Just some basic security procedures, such as securing servers and using correct server access rules, would have been sufficient.