Hundreds of thousands of documents containing photos and personal information belonging to patients of the plastic surgery technology company NextMotion have been exposed online through an unsecured Amazon Web Services (AWS) S3 bucket.
The software is able to create before and after pictures and videos of patients during the treatment process.
“In that sense, all your data is covered with the highest requested security level as it is hosted in France on servers authorized by the Haute Autorité de Santé (French Health Authority) – in our case, AWS who is certified.”
The S3 bucket contained approximately 900,000 files, including highly sensitive patient images and videos, as well as plastic surgery, and consultation documents.
“The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated.” reads the post published by
The personal patients’ information viewed by the experts included invoices for treatments, outlines for proposed treatments, video files, including 360-degree body and face scans, profile photos of the patients (both facial and body).
According to NextMotion, patient data stored in the unsecured database “had been de-identified,” but
“We were informed on January 27, 2020, that a
Experts explained that the type of data leaked online can be abused to target patients in a wide range of malicious activities, including scams, fraud, and phishing and other attacks.
Below the timeline of the discovery of the data leak:
In October 2017, another incident affected plastic surgery patients. The celeb London Bridge Plastic Surgery clinic confirmed in a statement that it was the victim of a cyber attack, the alleged culprit is a well-known hacker that goes online with the moniker The Dark Overlord.