[MEDICAL DATA] A data management service leaks photos of thousands of plastic surgery patients

VpnMentor, a team of researchers, issued an alarming report of the worrying security practices of the data management company storing most of the patient files of plastic surgery clinics around the world. NextMotion, the company involved, provides data management services to 170 clinics, enabling them to centralize their patients’ files as well as photos and videos. NextMotion guarantees that the files, a lot of them being photos of naked body parts, are protected in compliance with the GPDR regulation. Yet, vpnMentor made two worrying discoveries: first, that NextMotion’s database is in reality public, as it is stored within an S3 bucket, AWS’ public cloud; second, that there are no access control mechanisms to protect it. There were thus able to easily access 900,000 individual files containing photos of their bodies and faces, invoices and prescriptions. After having reported it to NextMotion and AWS at the end of January, the breach was fixed on February 5th (Source: HackRead). Yet, the team advices to stay cautious of clinics’ storing practices as a patient.