[German]Security researchers has found a massive data leak at NextMotion, a plastic surgery technology company. A compromised database contained 100,000s of profile images of patients.
NextMotion is a technology company, providing clinics working in dermatology, cosmetic, and plastic surgery with digital photography and video devices for their patients. The company is based in France, was established in 2015 by a team of plastic surgeons to offer clinics:
“digital & cutting edge technology tools that will help solve the before & after imaging issues, reassure your patients, simplify your data management and improve your e-reputation.”
The company has grown rapidly. It achieved a global presence in 2019, with 170 clinics worldwide in 35 countries, and a €1m investment for further global expansion. The video below gives an impression of their work.
They write: Meet the new standard in aesthetic process management. Nextmotion is the best solution for running a 100% connected aesthetic activity. Create dynamic standardized videos, manage your daily activities and learn about your patients.
They offer a ‘portfolio on the cloud’, to get constant access to the best before/afters (surgery). And they promise, they have a ‘secure medical cloud’.
(Screenshot Nextmotion advertising web site)
So this technology company works in a very sensitive area, where data of patients need to be stored safely.
The data breach
A team of security researchers from vpnmentor, lead by Noam Rotem and Ran Locar, discovered a breached database belonging to plastic surgery technology company NextMotion on January 24, 2020. The database was named after the company, so the team quickly identified NextMotion as the potential owner. vpnmentor investigated further to ensure this was correct before moving forward.
NextMotion was using an Amazon Web Services (AWS) S3 bucket database to store patient image files and other data but left it completely unsecured. Despite NextMotion write on their web site that:
“All your data is 100% secure, stored on medical clouds that are compliant with the latest health data storage regulations in your country (GDPR, HIPAA, ISO, etc.).”
The vpnmentor security team had access to to almost 900,000 individual files. These files includes included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology. The private personal user data the security researcher viewed included:
- Invoices for treatments
- Outlines for proposed treatments
- Video files, including 360-degree body and face scans
- Patient profile photos, both facial and body
In the following scan, a patient’s various plastic surgery procedures are outlined, with costs and dates involved.
Below are examples of patients preparing for procedures on their faces. This includes screenshots the security team took from videos viewed. The images are blurred for privacy purposes.
Many more images were not just sensitive but also very graphic. Our team viewed close up photos of women’s exposed breasts and genitals, including images taken immediately following a surgical procedure.
The origins of the photos and files within the database are not clear at the time of writing, as there’s little information attached to them. This leak possibly affected NextMotion clients (and their patients) around the world. Such photos being released into the public would be devastating for the women/patients affected.
The exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients. This type of data can be used to target people in a wide range of scams, fraud, and online attacks. NextMotion’s database posed a real risk to the people exposed, with wide-ranging privacy and security implications for all those involved.
The impact of this data breach
Given the highly sensitive and personal nature of the files within the exposed database – relating to medical procedures, patient finances, and containing graphic images – it’s a desaster for NextMotion, and the company should have done more to keep this information secure (for instance encrypted). Let’s say: NextMotion is clearly aware of this sensitive nature. The company’s website repeatedly states the various government regulations and data security laws they comply with (“GDPR, HIPPA, ISO, etc.”).
Despite their best efforts, it seems, they have failed to protect the data of people using their technology. In doing so, they created a wide range of potential issues. As vpnmentor people write:
Data privacy is not just a critical business concern for companies working in medical industries. There are serious legal considerations. By exposing patient files, images, and PII, NextMotion could be liable for legal action by the patients themselves, or regulatory bodies within the countries they operate.
Because NextMotion is based in France, it falls within the EU’s jurisdiction and GDPR. This is something NextMotion is aware of – the company claims to be “100% GDPR and Health data compliant”. So NextMotion could – and would – face fines or other legal action under GDPR regulation.
The leaked data could also lead to loss of clients. If clinics don’t trust NextMotion to keep their patients’ data secure, they will be reluctant to use the company’s technology. This could result in NextMotion losing current clients and affect their planned expansions to new markets. Many more implications could read on vpnmentor’s blog post here.
After NextMotion has been contacted by vpnmentor on 27/01/2020 it took until February 11, 2020, for a reply. Here is the timeline published by vpnmentor:
- Date discovered: 24/01
- Date vendors contacted: 27/01
- Date of contact with AWS: 30/01
- Date of Action: 5/02
- Date of Reply: 11/02
The above information was provided to my by a mail from vpnmentor to me. The whole story may be read within this article.
NextMotion confirmed the leak
Addenum: After publishing this article, based on information provided by vpnmentor, I also found the press release from NextMotion. Here is the text:
We were informed on January 27, 2020, that a cybersecurity company had undertaken tests on randomly selected companies and had managed to access our information system. They were able to extract videos and photos from some of our patients’ files. This data had been de-identified – identifiers, birth dates, notes, etc. – and thus was not exposed.
This company operates with the only goal to check security and alerted us of a potential risk of intrusion. We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared. This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application.
As a reminder, all your data is stored in France, in a secure HDS (personal data hosting) compliant medical cloud. Our application and our data management practice were audited in 2018 by a GDPR (General Data Protection Regulation) specialized law firm, in order to ensure our compliance with the data regulation which came into effect in 2019.
This company also contacted press. Articles on this topic will probably be published in the coming days, which could raise concerns with your patients. We stand by you to answer precisely any questions worried patients may have. You can if you wish suggest they send us their questions in writing at this email address : email@example.com
You must know that I am personally committed to securing the technologies we make available to you.
Please accept my sincere apologies for this fortunately minor incident.
Dr Emmanuel ELARD,
CEO of NextMotion