A new data-related incident was recently reported, affecting some personal details of plastic surgery patients. The exposed personal data includes hundreds of thousands of documents and photos, and at fault is an improperly configured Amazon Web Services S3 bucket.
NextMotion’s Data Breach: What Happened?
NextMotion, a French plastic surgery technology company which provides solutions to clinics, was informed that on January 27, 2020, “a cybersecurity company had undertaken tests on randomly selected companies and had managed to access our information system”. The cybersecurity experts were able to access and extract media, including both videos and photos, from some of NextMotion’s patient files. According to their official statement, the affected media files are stored in a separate database, and the patients’ personal data database was not exposed.
According to VPNMentor, the cybersecurity company that performed the test, “this breach made NextMotion, its clients, and their patients incredibly vulnerable and represented a significant lapse in the company’s data privacy policies.”
“The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated“, VPNMentor said.
According to NextMotion’s description regarding their work, all the patients’ data is 100% secure, stored on medical clouds compliant with the latest health data storage regulations. However, it turns out that this is not 100% true, as the AWS S3 bucket database used by the company to store patient files was left “completely unsecured”.
VPNMentor successfully accessed almost 900,000 individual files, including highly sensitive images, video files, and paperwork related to plastic surgery procedures, dermatological treatments, and consultations performed by clinics running NextMotion’s technology. More specifically, breached data included treatment invoices, outlines for proposed treatments, video files, 360-degree body and face scans, and facial and body photos.
It seems that patients around the world are affected, but the exact origin of the files is currently not known.
A survey carried out in 2017 by Accenture revealed that one in four participants had their personal medical details stolen from systems. Half of the breached Americans were in fact victims of medical identity theft and had to pay approximately $2,500 per incident.
Another detail that the survey uncovered is that breaches are most likely to happen in hospitals. This is indeed the location that received the most votes from participants, followed by urgent-care clinics, pharmacies, physician’s offices, and health insurers.