A recently encountered breach in database belonging to plastic surgery technology company NextMotion adds on to the Healthcare industry cyber attack in 2020. It is very critical to identify the seriousness of the attack and how easily the data can be recovered. As per the report by VPNMentor, since the database of NextMotion was named after the company, it was easy to identify it as the potential owner. In accordance with the investigation performed on the incidence:
- Date discovered: 24/01
- Date vendors contacted: 27/01
- Date of contact with AWS: 30/01
- Date of Action: 5/02
- Date of Reply: 11/02
The compromised database contained 100,000s of profile images of patients, uploaded via NextMotion’s proprietary software. These were highly sensitive, including images of patients’ faces and specific areas of their bodies being treated, says the vpnMentor report. The team had access to almost 900,000 individual files, which included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations performed by clinics using NextMotion’s technology.
NextMotion updated on its website on 15th February
“We were informed on January 27, 2020, that a cyber security company had undertaken tests on randomly selected companies and had managed to access our information system. They were able to access and extract media (videos and photos) from some of our patients’ files. These media are stored in a specific database separated from the patients’ personal data database (names, birth dates, notes, etc) – only the media database was exposed, not the patients’ database.”
The severity of The Data Breach
Although NextMotion was using Amazon web security (AWS) S3 bucket to store patent image file, and other data, but left it completely unsecured. The private personal user data the researchers viewed included:
- Invoices for treatments
- Outlines for proposed treatments
- Video files, including 360-degree body and face scans
- Patient profile photos, both facial and body
The origins of the photos and files within the database were not clear at the time of writing, as there’s little information attached to them. This leak possibly affected NextMotion clients (and their patients) around the world, note the researchers. The exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients, which can be used to target people in a wide range of scams, fraud, and online attacks. NextMotion’s database posed a real risk to the people exposed, with wide-ranging privacy and security implications for all those involved, warn the researchers.
NextMotion reveals on its data security page
“This Company operates with the only goal to check security and alerted us of a potential risk of intrusion. Amazon Web Service warned us on the 30th of January, after internal discussions with Amazon’s support, we immediately took corrective steps on the 4th February. The cybersecurity company formally guaranteed that the security flaw had completely disappeared. This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application”.
Despite the best efforts put in by the company, also stated on the company website about the various government regulations and data security laws they comply with (“GDPR, HIPAA, ISO, etc.”, the failure is very much evident.
CEO of NextMotion, Dr Emmanual ELARD apologized for the act and quoted in the end
“You must know that I am personally committed to securing the technologies we make available to you. Please accept my sincere apologies for this incident.”