Photos of breasts, private parts or quotes and detailed invoices for the surgical operations undergone. At the end of January, cybersecurity researchers at VPN Mentor discovered to their surprise that patient files from 170 clinics or cosmetic surgery offices around the world, including 26 located in France, were freely accessible on a poorly secured server.
"The compromised database contained 900,000 documents uploaded via NextMotion's internal software, including photo and video files of patients before and after the operations," explain Noam Rotem and Ran Locar.
For insurance reasons in particular, all cosmetic surgery clinics must provide their patients with comparisons before and after the operation. NextMotion responds to this need by digitizing this data.
“These are very sensitive documents, including the faces and body parts of the patients treated. This leak makes the company, its customers and patients vulnerable, ”they explain.
However, it is impossible to say with certainty whether malicious people also had access to NextMotion's multimedia data. An internal investigation is underway to determine how long the data has been available.
"We sealed the breach on Wednesday, changed the passwords and we launched an emergency audit to prevent this from happening again," responded Emmanuel Elard, the CEO of this start-up. All customers have been informed by e-mail of this "potential risk of intrusion".
The legislation requires medical companies to use online storage space for Health Data Hosters (HDS), certified by the Ministry of Health. The data security procedure was respected, but a human error left the door ajar on a server.
Israeli scientists, who regularly scan IP addresses on the Internet in search of poorly protected databases, therefore easily came across them. They were able to dig into these files in order to gather physical evidence and alert the company concerned.
"The potential leak did not concern personal medical files, which were stored on another server," reassures Dr. Elard. The visual data was anonymized: identifiers, dates of birth, notes were therefore not exposed ”.
A Parisian clinic very popular with stars
Founded in 2015 by this cosmetic surgeon, NextMotion boasts a portfolio of customers from 170 specialized clinics in 35 countries, including the most famous in France, the Champs-Élysées Clinic where stars have been crowded for more than 50 years.
Among the documents retrieved by the researchers that we were able to consult, there is in particular a letter of "informed consent" with the header of the Parisian health establishment. But a priori no photos or videos of known patients.
"We do not store the documents of public figures online but internally because the disclosure of their medical secret would have a real media impact," insists Tracy Cohen, the director of the establishment.
“Our service provider guaranteed that no image had been uploaded by anyone other than these researchers. So we are calm, ”she says.
Already at the origin of revelations on a data leak from an Accor subsidiary, VPN Mentor specialists present themselves as “ethical” hackers, wanting to educate about data protection. The prevention message is clearly still struggling to get across.