Security teams from the Israeli company vpnmentor regularly comb the Internet for open servers and unsecured databases. On January 24, 2020, a security team found an unsecured database in an Amazon AWS cloud S3 bucket. The database contained around 900,000 files that apparently came from patient files.
Doctors used manufacturer cloud
Since this database was named, NextMotion could be identified as the operator relatively quickly from the data. The patient data had been stored in the company's supposedly secure medical cloud by doctors using NextMotion tools. There, the security researchers had access to highly sensitive images, video files and documents on interventions in the field of plastic surgery, dermatological treatments and patient advice, which were carried out by clinics with the NextMotion technology.
The content of the database ranges from invoices for treatments to sketches for interventions to video files with 360-degree scans of patients' bodies and faces. There were also the most intimate photos of patients before and after breast or buttock surgery. The security team contacted NextMotion on January 27, and the data was no longer available on February 5.
Serious consequences feared
The Security researchers stateto have also found data with which patients can be identified and which partly relate to financial information about these persons. The names of operating surgeons can also be found in the documents. It is a disaster for the affected patients and their doctors if such confidential medical records become public or in the hands of cybercriminals – the latter could open the door to abuse.
This security incident is also a disaster for NextMotion, as it undermines its business model of 'securely storing data in a medical cloud'. The security researchers at vpnmentor write in their blog post that this may be detrimental to the company, as customers lose confidence in the company's services and patients may be asked to pay damages.
Service provider for cosmetic surgery
The French company NextMotion was founded in 2015 by a team of plastic surgeons to offer clinics services and tools for documenting cosmetic surgery. With their own tools, cosmetic surgeons should be able to document the results before and after surgery and show them to their patients. The company advertises that with the photo, video and software tools, the patients can be reassured and the reputation of the respective cosmetic surgeon can be improved. Because the patient can be shown on a tablet or smartphone with before / after photos and videos, how a cosmetic surgery or a dermatological treatment works.
All data that is collected using the company's tools should be stored in a secure, HDS-compliant (Personal Data Hosting) medical cloud, but should be accessible by the doctor everywhere, even using a cell phone app. The company works in a very sensitive, medical environment, where patient data must be stored securely. On the website, the company emphasizes that the highest demands such as DSGVO. HIPPA, ISO, etc. are met. The company is now globally active in 170 clinics in 35 countries and is striving for further global expansion.
The company tries to play down
In a communication from the company at the Data security website The company's CEO admits the data incident, but the submissions do not give the impression that they are aware of the seriousness of the situation. For example, reference is made to the secure medical cloud and secure hosting (personal data hosting). The application and NextMotion data management practice had been checked in 2018 by a law firm specializing in GDPR (the GDPR) in order to ensure compliance with the data regulation that allegedly came into force in 2019, according to the CEO of the company in his submission – the announcement is apparently hastily prepared because the General Data Protection Regulation came into force on May 25, 2018 and not until 2019.
The fact that all of these measures have failed remains as unmentioned as a statement about where the error was or how it should be avoided in the future. The company's CEO, who holds a doctorate, even denies that personal information such as addresses, birth dates, etc. was available there, and tries to appease customers.
In addition, the statements are contrary to the statements of the security researchers, who were able to view the invoices and other personal documents from the patient files and have partially published them in blackened or pixelated form. The CEO also seems to be unfamiliar with the fact that photos and videos make a person identifiable. In retrospect, the certification by a specialized law firm was obviously not worth the money, because the scenario that had now occurred, including countermeasures (e.g. encrypted storage of the files), would have had to be analyzed in order to assess data protection law.
The long arm of the General Data Protection Regulation
What the Israeli security researchers completely missed: Every doctor who used the services of the provider NextMotion and saved data there may have committed a data protection violation under the GDPR with the incident. After all, NextMotion is ultimately an order data processor and the doctor in liability without adequate protection under data protection law.
Since it is medical and very personal data, the incident (even if it was uncovered by security researchers and there is currently no evidence of misuse) is serious from the perspective of the DGSVO. Patients could also sue their doctors for damages, if necessary, and authorities would have to investigate all of the company's customers for the GDPR violation within the scope of the GDPR. This becomes interesting when the question is whether German cosmetic surgeons and clinics were customers of NextMotion. An inspection could result in unforeseen implications for all involved. Further details on the uncovered data protection violation can also be found at vpnmentor.
(Günter Born) /
. (tagsToTranslate) Cloud Computing (t) Data Theft (t) Healthcare (t) Leak (t) Medicine