CYBER SECURITY: 1,000s of Plastic Surgery Patients Exposed in Massive Data Leak
February 17, 2020
0
CYBER SECURITY: 1,000s of Plastic Surgery Patients Exposed in Massive Data Leak
Syndicated By Iain Fraser - Editor-at-Large
City of London Newsroom
Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a breached
database belonging to plastic surgery technology company NextMotion.
NextMotion provides clinics working in dermatology, cosmetic, and plastic surgery with
digital photography and video devices for their patients.
The compromised database contained 100,000s of profile images of patients, uploaded via
NextMotion’s proprietary software. These were highly sensitive, including images of patients’
faces and specific areas of their bodies being treated.
This breach made NextMotion, its clients, and their patients incredibly vulnerable and
represented a significant lapse in the company’s data privacy policies.
Based in France, NextMotion was established in 2015 by a team of plastic surgeons to offer clinics:
“digital & cutting edge technology tools that will help solve the before & after imaging issues,
reassure your patients, simplify your data management and improve your e-reputation.”
The company has grown rapidly. It achieved a global presence in 2019, with 170 clinics worldwide in
35 countries, and a €1m investment for further global expansion.
Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly
resolved. But rare are these times. Most often, we need days of investigation before we understand
what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to
publish accurate and trustworthy reports, ensuring everybody who reads them understands their
seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact.
So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was named after the company, so we quickly identified NextMotion as
the potential owner. We investigated further to ensure this was correct before moving forward.
You can click her to read/download the full report
Meanwhile Data Leaks in the Medical Industry Continue. Chase Williams at Wizcase has reported
to GEO´ that after their previous report on database leaks from medical websites around the world,
WizCase’s security team diligently continued their research. They discovered 3 additional
unsecured medical databases with confidential information, including full names, passport
numbers, birth dates, addresses, and phone numbers.
These databases were found in the context of performing research to help companies secure
their data. They were left unencrypted and required no password to access the sensitive
information within.
Every company and their hosting provider has been contacted with the security team’s findings.
Our goal is to inform them of the leaks so they can secure the exposed servers, protecting their
patients’ private information.
You can click her to read/download the full report