Report: 1,000s of Plastic Surgery Patients Exposed in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a breached database belonging to plastic surgery technology company NextMotion.
NextMotion provides clinics working in dermatology, cosmetic, and plastic surgery with digital photography and video devices for their patients.
The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated.
This breach made NextMotion, its clients, and their patients incredibly vulnerable and represented a significant lapse in the company’s data privacy policies.
Based in France, NextMotion was established in 2015 by a team of plastic surgeons to offer clinics:
“digital & cutting edge technology tools that will help solve the before & after imaging issues, reassure your patients, simplify your data management and improve your e-reputation.”
The company has grown rapidly. It achieved a global presence in 2019, with 170 clinics worldwide in 35 countries, and a €1m investment for further global expansion.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was named after the company, so we quickly identified NextMotion as the potential owner. We investigated further to ensure this was correct before moving forward.
- Date discovered: 24th January 2020
- Date vendors contacted: 27th January 2020
- Date of contact with AWS: 30th January 2020
- Date of Action: 5th February 2020
- Date of Reply: 11th February 2020
Example of Entries in the Database
NextMotion claims on its website that:
“All your data is 100% secure, stored on medical clouds that are compliant with the latest health data storage regulations in your country (GDPR, HIPAA, ISO, etc.).”
Based on our team’s discovery, however, this was not the case.
NextMotion was using an Amazon Web Services (AWS) S3 bucket database to store patient image files and other data but left it completely unsecured.
Our team had access to almost 900,000 individual files. These included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.
The private personal user data we viewed included:
- Invoices for treatments
- Outlines for proposed treatments
- Video files, including 360-degree body and face scans
- Patient profile photos, both facial and body
In the following scan, a patient’s various plastic surgery procedures are outlined, with costs and dates involved.
Paperwork files for less intense procedures were also exposed, as seen in the next two examples.
Below are examples of patients preparing for procedures on their faces. This includes screenshots we took from videos we viewed. (Blurring done by our team for privacy purposes)
Many more images were not just sensitive but also very graphic. Our team viewed close-up photos of women's exposed breasts and genitals, including images taken immediately following a surgical procedure. (A suitable example is shown below)
Such photos being released into the public domain would be devastating for the women affected.
The origins of the photos and files within the database are not clear at the time of writing, as there's little information attached to them. This leak possibly affected NextMotion clients (and their patients) around the world.
The exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients. This type of data can be used to target people in a wide range of scams, fraud, and online attacks.
NextMotion’s database posed a real risk to the people exposed, with wide-ranging privacy and security implications for all those involved.
Data Breach Impact
Given the highly sensitive and personal nature of the files within the exposed database - relating to medical procedures, patient finances, and containing graphic images - NextMotion should have done more to keep this information secure.
NextMotion is clearly aware of this. The company’s website repeatedly states the various government regulations and data security laws they comply with (“GDPR, HIPPA, ISO, etc.”).
Despite their best efforts, it seems, they have failed to protect the data of people using their technology. In doing so, they created a wide range of potential issues.
Data privacy is not just a critical business concern for companies working in medical industries. There are serious legal considerations. By exposing patient files, images, and PII, NextMotion could be liable for legal action by the patients themselves, or regulatory bodies within the countries they operate.
As NextMotion is based in France, it falls within the EU’s jurisdiction and GDPR. This is something NextMotion is aware of - the company claims to be “100% GDPR and Health data compliant”.
However, by not protecting the patient data of its clients, NextMotion could still face fines or other legal action under GDPR.
The leaked data could also lead to loss of clients. If clinics don’t trust NextMotion to keep their patients’ data secure, they will be reluctant to use the company’s technology. This could result in NextMotion losing current clients and affect their planned expansions to new markets.
Finally, competitors could have seized on a leak like this to undermine Netxtmotion. Not only would it give insight into how its software works, allowing them to replicate it, but they could also take the opportunity to exploit negative press around the leak.
All of these outcomes could result in long-lasting damage to NextMotion, their reputation, and their revenue.
For NextMotion's Clients
Most likely, NextMotion’s clients would face the brunt of patients’ negative reactions to their details being leaked.
The following consent form is from one of NextMotion’s premier clients, a famous clinic in France. The clinic features as a reference on their website, but may not want to be so strongly associated with this data leak.
They could lose business if people aren’t comfortable using software that may expose their data and choose a competitor clinic. This would also reduce the value of any investment made in NextMotion technology by a clinic.
The clinics themselves may also face legal action if somebody deems them liable for the leak in any way. This would be a time consuming and financially costly outcome, whether they’re found guilty or not by a court.
Similarly to NextMotion, this leak could have had many severe implications for any clinic using their software.
The biggest concern in this leak is the privacy and security issues it would have created for the patients themselves.
Aside from the incredibly sensitive and intimate nature of the files exposed, they also made those affected vulnerable to numerous forms of fraud, theft, and online attack.
Blackmail, Extortion, and Fraud
If criminal hackers accessed this database, they could have threatened patients (or the clinics) with releasing the files and causing them embarrassment, body shaming, or worse.
Hackers could use PII and financial records to target patients with identity theft, phishing campaigns, and financial fraud.
This actually happened after a database belonging to The Center for Facial Restoration (TCFR) in Florida, USA, was hacked in November 2019. Cybercriminals planted ransomware on clinic’s servers and demanded ransom for not exposing patients. They also contacted patients directly with similar demands.
Unable to recover the stolen files, TCFR believes ‘victimization of past and current clients could go on for years’ and that the hack affected ‘up to 3,500 patients’.
A similar outcome, on a much larger scale, could have occurred for clients of NextMotion and their patients had this database somebody else discovered this database.
The impact on their relationships, finances, and personal lives would be devastating.
Advice from the Experts
NextMotion could have easily avoided this leak if it had taken some basic security measures to protect its database. These include, but are not limited to:
- Securing their servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
Securing an Open S3 Bucket
It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
In the case of NextMotion, the quickest way to fix this error would be to:
- Reconfigure the S3 bucket’s settings to be more secure.
- Make the bucket private and add authentication protocols.
- Follow AWS access and authentication best practices.
- Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.
For NextMotion Clients
If you’re a client of NextMotion and concerned about how this breach might impact you, contact NextMotion directly to learn what measures they’re taking.
For Patients of NextMotion Clients
Speak to your surgeon or clinic to confirm if they’re using NextMotion. Ask what steps they are taking to ensure your data and records haven’t been exposed.
To learn more about data vulnerabilities and leaks in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in NextMotion’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They investigate each hole for data being leaked.
When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the company of the breach. If possible, we will also inform any other party affected by the breach.
Our team was able to access this database because it was completely unsecured and unencrypted.
The purpose of this web mapping project is to help make the internet safer for all users.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to NextMotion, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. NextMotion clients and their patients must be aware of a data breach that impacts them too.
We also never sell, store, or expose any information we encounter during our security research.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data leaks in recent years, many of them in France and Europe.
This has included an enormous data leak on Genius, an app built by the French postal service. We also revealed that a company owned by European hotel giant AccorHotels compromised the privacy and security of hotel guests around the world. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
NextMotion's Comment: "We were informed on January 27, 2020, that a cybersecurity company had undertaken tests on randomly selected companies and had managed to access our information system. They were able to extract videos and photos from some of our patients’ files. This data had been de-identified - identifiers, birth dates, notes, etc. - and thus was not exposed.
This company operates with the only goal to check security and alerted us of a potential risk of intrusion. We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared. This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application.
As a reminder, all your data is stored in France, in a secure HDS (personal data hosting) compliant medical cloud. Our application and our data management practice were audited in 2018 by a GDPR (General Data Protection Regulation) specialized law firm, in order to ensure our compliance with the data regulation which came into effect in 2019.
This company also contacted the ‘Le Parisien’ newspaper with whom I spoke this morning. A press article on this topic will probably be published in the coming days, which could raise concerns with your patients. We stand by you to answer precisely any questions worried patients may have. You can if you wish suggest they send us their questions in writing at this email address: email@example.com
You must know that I am personally committed to securing the technologies we make available to you.
Please accept my sincere apologies for this fortunately minor incident."
[Publication date: 14.02.2020]