Patient data from the French medical cloud open on the Internet


Security teams from the Israeli company vpnmentor regularly comb the Internet for open servers and unsecured databases. On January 24, 2020, a security team found an unsecured database in an Amazon AWS cloud S3 bucket. The database contained around 900,000 files that apparently came from patient files.

Don't miss any news! With our daily newsletter you will receive all heise online news from the past 24 hours every morning.

Since this database was named, NextMotion could be identified as the operator relatively quickly from the data. The patient data had been stored in the company's supposedly secure medical cloud by doctors using NextMotion tools. There, the security researchers had access to highly sensitive images, video files and documents on interventions in the field of plastic surgery, dermatological treatments and patient advice, which were carried out by clinics with the NextMotion technology.

The content of the database ranges from invoices for treatments to sketches for interventions to video files with 360-degree scans of patients' bodies and faces. There were also the most intimate photos of patients before and after breast or buttock surgery. The security team contacted NextMotion on January 27, and the data was no longer available on February 5.

The Security researchers stateto have also found data with which patients can be identified and which partly relate to financial information about these persons. The names of operating surgeons can also be found in the documents. It is a disaster for the affected patients and their doctors if such confidential medical records become public or in the hands of cybercriminals – the latter could open the door to abuse.

Patient data at the French company NextMotion open on the Internet

The detailed data also include financial details and in some cases allow patients to be identified.

(Picture: vpnmentor)

This security incident is also a disaster for NextMotion, as it undermines its business model of 'securely storing data in a medical cloud'. The security researchers at vpnmentor write in their blog post that this may be detrimental to the company, as customers lose confidence in the company's services and patients may be asked to pay damages.

The French company NextMotion was founded in 2015 by a team of plastic surgeons to offer clinics services and tools for documenting cosmetic surgery. With their own tools, cosmetic surgeons should be able to document the results before and after surgery and show them to their patients. The company advertises that with the photo, video and software tools, the patients can be reassured and the reputation of the respective cosmetic surgeon can be improved. Because the patient can be shown on a tablet or smartphone with before / after photos and videos, how a cosmetic surgery or a dermatological treatment works.

Even the most intimate images of cosmetic surgery procedures were found in the openly accessible database.

(Picture: vpnmentor)

All data that is collected using the company's tools should be stored in a secure, HDS-compliant (Personal Data Hosting) medical cloud, but should be accessible by the doctor everywhere, even using a cell phone app. The company works in a very sensitive, medical environment, where patient data must be stored securely. On the website, the company emphasizes that the highest demands such as DSGVO. HIPPA, ISO, etc. are met. The company is now globally active in 170 clinics in 35 countries and is striving for further global expansion.