A study carried out by a team of security experts from vpnMentor has found that a database exposure due to a misconfigured cloud server has leaked plastic surgery photos and videos of patients belonging to a French Plastic Surgery Company named “NextMotion”.
The 2015 founded company which is into the sales of digital cameras meant to record events related to plastic surgeries in dermatology clinics has issued a public apology yesterday to all those patients of its 170 clinics operating in over 35 countries.
NextMotion from France also offers software for facial analysis and documentation procedures for the treatments carried out in its clientele databases. It is known to keep a tab of digital consent forms, treatment reports, quotes and the billing details on cloud-based databases- and this where the trouble started.
Due to misconfiguration error, researchers from vpnMentor have discovered that many sensitive images of plastic surgery patients uploaded from the medical devices and software were accessed fraudulently by hackers.
News is out that hackers could have gained access to over 900,000 images from Amazon Web Services S3 bucket which might have exposed details such as patients’ private parts.
NextMotion has given a brief clarification on its website that data related to patients such as names, birth dates, and contacts and surgery history is stored on a separate database whereas the photos and video evidence were stored on the media database. The authorities at the healthcare have mentioned in the statement that only details from the media database might get exposed to hackers- if at all they accessed the database due to the misconfiguration error.
The healthcare has also further disclosed in its statement that it has been storing patient records as per the regulations prevailing in the country such as HIPAA, GDPR, ISO and such…
As the database was named after the company, it became easy for vpnMentor researchers to contact the company about the possible data breach. And the NextMotion officials reacted on February 5th, 2020 by taking down the database offline.