Photos and personal information belonging to patients of the NextMotion plastic surgery tech firm have been exposed online through an unsecured S3 bucket.

Hundreds of thousands of documents containing photos and personal information belonging to patients of the plastic surgery technology company NextMotion have been exposed online through an unsecured Amazon Web Services (AWS) S3 bucket.

NextMotion is a French plastic surgery tech company that provides imaging and patient management software that allows complete treatment records on an aesthetic patient.

The software is able to create before and after pictures and videos of patients during the treatment process.

“ Nextmotion is an ecosystem based on a medical cloud that allows you to sort, store and access your data wherever you are,” states the company on its website.

“In that sense, all your data is covered with the highest requested security level as it is hosted in France on servers authorized by the Haute Autorité de Santé (French Health Authority) – in our case, AWS who is certified.”

The S3 bucket contained approximately 900,000 files, including highly sensitive patient images and videos, as well as plastic surgery, and consultation documents.

“The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated.” reads the post published by vpnMentor . “Our team had access to almost 900,000 individual files. These included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.”

The personal patients’ information viewed by the experts included invoices for treatments, outlines for proposed treatments, video files, including 360-degree body and face scans, profile photos of the patients (both facial and body).

According to NextMotion, patient data stored in the unsecured database “had been de-identified,” but vpnMentor experts pointed out that paperwork and invoices leaked also contained Personally Identifiable Information (PII) data of patients.

“We were informed on January 27, 2020, that a cybersecurity company had undertaken tests on randomly selected companies and had managed to access our information system.” reads the notice published by the company. “They were able to access and extract medias (videos and photos) from some of our patients’ files. Those media were on a specific database separated from patient’s text database (names, birth dates, notes, etc ) – only the media database was exposed, patient’s database was not exposed.”

Experts explained that the type of data leaked online can be abused to target patients in a wide range of malicious activities, including scams, fraud, and phishing and other attacks.

NextMotion pointed out that it has immediately implemented corrective measured to protect its customers.

Below the timeline of the discovery of the data leak:

Date discovered: 24/01

Date vendors contacted: 27/01

Date of contact with AWS: 30/01

Date of Action: 5/02

Date of Reply: 11/02

In October 2017, another incident affected plastic surgery patients. The celeb London Bridge Plastic Surgery clinic confirmed in a statement that it was the victim of a cyber attack, the alleged culprit is a well-known hacker that goes online with the moniker The Dark Overlord.

Pierluigi Paganini