Plastic surgery images and invoices leak from unsecured database

The images, many of them graphic, came from a French imaging company called NextMotion.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
A woman's face marked with dotted lines.

A plastic surgery software service leaked thousands of patient photos, videos and invoices on an unsecured database, security researchers said Thursday. This stock photo didn't come from that exposure.

Getty Images

Thousands of images, videos and records pertaining to plastic surgery patients were left on an unsecured database where they could be viewed by anyone with the right IP address, researchers said Friday. The data included about 900,000 records, which researchers say could belong to thousands of different patients.

The data was generated at clinics around the world using software made by French imaging company NextMotion. Images in the database included before-and-after photos of cosmetic procedures. Those photos often contained nudity, the researchers said. Other records included images of invoices that contained information that would identify a patient. The database is now secured.

Researchers Noam Rotem and Ran Locar found the exposed database. They published their research with vpnMentor, a security website that rates VPN services and earns commissions when readers make purchases. Rotem said he sees exposed health care databases all too often as part of his web-mapping project, which looks for exposed data.

"The state of privacy protection, especially in health care, is really abysmal," Rotem said.

NextMotion, which says on its website that it has 170 clinics as customers in 35 countries, said in a statement to its clients that it had addressed the problem.

"We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared," said NextMotion CEO Emmanuel Elard in the statement. "This incident only reinforced our ongoing concern to protect your data and your patients' data when you use the Nextmotion application."

Elard went to apologize for the "fortunately minor incident."

While NextMotion said the photos and videos don't include names or other identifying information, many of the images show patients' faces, according to vpnMonitor. Some of the invoices detail the types of procedures patients received, such as acne scar removal and abdominoplasty, and contain patients' names and other identifying information.

The leak is the latest exposure of data from an unsecured cloud database, a global problem that affects a range of sensitive information. Exposed databases have leaked the records of drug rehab patients in the US, the national identity numbers of Peruvian moviegoers and the expected salaries of job seekers around the world. The problem stems from companies moving their customer data to the cloud without proper privacy protocols in place. It affects countless databases, researchers say.

Rotem said it wasn't possible to know how many patients had information exposed in the NextMotion database, because each patient was likely to have multiple records in the system. Still, it was potentially thousands of patients.

The NextMotion website says it provides a "secure medical cloud" with its servers in France to store records for cosmetic clinics around the world. The web page dedicated to data security includes logos relating to data security laws, including the US Health Insurance Portability and Accountability Act (HIPAA) and the European Union's General Data Protection Regulation (GDPR).

Rotem said these laws require many more layers of security protection for the data the researchers found. He said some of the images were 360-degree videos of patients' nude bodies. Some included images of genitalia.

"It's really, really, really something you don't want to put online," he said.

Watch this: California's new privacy law: Everything you need to know