Thousands of images, videos and records pertaining to plastic surgery patients were left on anwhere they could be viewed by anyone with the right IP address, researchers said Friday. The data included about 900,000 records, which researchers say could belong to thousands of different patients.
The data was generated at clinics around the world using software made by French imaging company NextMotion. Images in the database included before-and-after photos of cosmetic procedures. Those photos often contained nudity, the researchers said. Other records included images of invoices that contained information that would identify a patient. The database is now secured.
Researchers Noam Rotem and Ran Locar found the exposed database. They published their research with vpnMentor, a security website that rates VPN services and earns commissions when readers make purchases. Rotem said he sees exposed health care databases all too often as part of his web-mapping project, which looks for exposed data.
“The state of privacy protection, especially in health care, is really abysmal,” Rotem said.
NextMotion, which says on its website that it has 170 clinics as customers in 35 countries, said in a statement to its clients that it had addressed the problem.”We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared,” said NextMotion CEO Emmanuel Elard in the statement. “This incident only reinforced our ongoing concern to protect your data and your patients’ data when you use the Nextmotion application.”
Elard went to apologize for the “fortunately minor incident.”
While NextMotion said the photos and videos don’t include names or other identifying information, many of the images show patients’ faces, according to vpnMonitor. Some of the invoices detail the types of procedures patients received, such as acne scar removal and abdominoplasty, and contain patients’ names and other identifying information.