Website URL:
   CNET también está disponible en español.
   Ir a español

   Don't show this again

   Facebook cancels F8 WWE Super ShowDown Coronavirus Galaxy S20 Ultra 5G review Pokemon day 2020 Coronavirus: Which mask?

   (BUTTON) Best Products
   All the best products
   Award Winners  Versus  Best Headphones  Best Laptops  Best Phones  Best TVs  Best Speakers  Best Routers  Best Smart Home 
   Best Tablets  Best Refrigerators  Best Washing Machines  Best Digital Cameras  Best Hard Drives  Best Printers  Best Wearable Tech  Best AV Receivers 
   Best iPhone Apps  Best Media Streamers  Best Dishwashers  Best Coffee Machines 
   (BUTTON) Reviews
   All reviews
   Appliances  Audio  Cameras  Cars  Desktops  Drones  Headphones  Laptops  Media Streamers  Monitors  Networking 
   Phones  5G Phones  Printers  Smart Home  Speakers  Tablets  TVs  VPNs  Wearables & VR  Web Hosting 
   (BUTTON) News
   All news
   5G  Apple  Computers  Culture  Google  Health & Wellness  Internet  Microsoft  Mobile  Newsletters  Sci-Tech 
   Security  Tech Industry  Special Features  Photo Galleries 
   (BUTTON) Video
   All video
   Most Popular  News  How To  Special Features  Appliances  Audio  Cameras  Gaming  Home Entertainment  Laptops 
   Smart Home  Tablets  TVs  Wearable Tech  CNET Top 5  Tech Today  The Apple Core  What the Future  Alphabet City  3:59  CNET
   (BUTTON) How To
   All how to
   Appliances  Computers  Gaming  Home Entertainment  Internet  Mobile Apps  Personal Finance  Phones  Photography  Security 
   Smart Home  Streaming TV  Tablets  Wearable Tech  Forums 
   (BUTTON) Smart Home
   All smart home
   Best smart home devices  Guide to smart living  News  Tour our smart apartment  Tour our smart house 
   Product compatibility
   Amazon Alexa  Apple HomeKit  Belkin WeMo  Google Assistant  Lutron  Nest  Philips Hue  Samsung SmartThings  Wink 
   (BUTTON) Cars
   Reviews  Video  News  Pictures  Recalls  AutoComplete  Carfection  Cooley On Cars  Car Audio  Electric Cars 
   Auto Buying Program 
   Best cars
   Best Affordable Cars  Best Crossovers  Best Electric Cars  Best Family Cars  Best Fuel-Efficient Cars  Best Hybrids  Best Sedans  Best SUVs 
   Best Trucks 
   (BUTTON) Deals
   All deals
   The Cheapskate  Antivirus Deals  Identity Theft Protection Deals  Mattress Deals  Meal Kit Deals  Password Manager Deals  Pillow Deals 
   Prescription Glasses Deals  Tax Service Deals  VPN Deals  Web Hosting Deals 
   All coupons
   Amazon Promo Codes  Best Buy Coupons  Dell Coupons  eBay Coupons  ExpressVPN Coupons  Groupon Promo Codes  HP Coupons  Microsoft Promo Codes  Samsung Promo
   Codes  Sprint Promo Codes  Target Coupons  TurboTax Discounts  Verizon Promo Codes  Walmart Coupons 
   (BUTTON) Editions
   English  Español  China  France  Germany  Japan  Korea 
   (BUTTON) Search
   My Profile  Forums  Sign Out 
   Join / Sign In

Plastic surgery images and invoices leak from unsecured database

   The images, many of them graphic, came from a French imaging company called NextMotion.
   Laura Hautala mugshot 
   Laura Hautala 
   February 14, 2020 8:28 AM PST


   - 03:08

   A woman's face marked with dotted lines.

   A plastic surgery software service leaked thousands of patient photos, videos and invoices on an unsecured database, security researchers said Thursday. This stock photo didn't come from that exposure.
   Getty Images

   Thousands of images, videos and records pertaining to plastic surgery patients were left on an unsecured database where they could be viewed by anyone with the right IP address, researchers said Friday. The data included about 900,000 records, which researchers say could belong to thousands of different patients.

   The data was generated at clinics around the world using software made by French imaging company NextMotion. Images in the database included before-and-after photos of cosmetic procedures. Those photos often contained nudity, the researchers said. Other records included images of invoices that contained information that would identify a patient. The database is now secured.

   Researchers Noam Rotem and Ran Locar found the exposed database. They published their research with vpnMentor, a security website that rates VPN services and earns commissions when readers make purchases. Rotem said he sees exposed health care databases all too often as part of his web-mapping project, which looks for exposed data.

   "The state of privacy protection, especially in health care, is really abysmal," Rotem said.

CNET Daily News

Get the latest tech stories every weekday from CNET News.

   NextMotion, which says on its website that it has 170 clinics as customers in 35 countries, said in a statement to its clients that it had addressed the problem.

   "We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared," said NextMotion CEO Emmanuel Elard in the statement. "This incident only reinforced our ongoing concern to protect your data and your patients' data when you use the Nextmotion application."

   Elard went to apologize for the "fortunately minor incident."

   While NextMotion said the photos and videos don't include names or other identifying information, many of the images show patients' faces, according to vpnMonitor. Some of the invoices detail the types of procedures patients received, such as acne scar removal and abdominoplasty, and contain patients' names and other identifying information.

   The leak is the latest exposure of data from an unsecured cloud database, a global problem that affects a range of sensitive information. Exposed databases have leaked the records of drug rehab patients in the US, the national identity numbers of Peruvian moviegoers and the expected salaries of job seekers around the world. The problem stems from companies moving their customer data to the cloud without proper privacy protocols in place. It affects countless databases, researchers say.

   Rotem said it wasn't possible to know how many patients had information exposed in the NextMotion database, because each patient was likely to have multiple records in the system. Still, it was potentially thousands of patients.

   The NextMotion website says it provides a "secure medical cloud" with its servers in France to store records for cosmetic clinics around the world. The web page dedicated to data security includes logos relating to data security laws, including the US Health Insurance Portability and Accountability Act (HIPAA) and the European Union's General Data Protection Regulation (GDPR).

   Rotem said these laws require many more layers of security protection for the data the researchers found. He said some of the images were 360-degree videos of patients' nude bodies. Some included images of genitalia.

   "It's really, really, really something you don't want to put online," he said.
   Now playing: Watch this: California's new privacy law: Everything you need to...
   Hacking Privacy 
   Notification on
   Notification off

Discuss: Plastic surgery images and invoices leak from unsecured database

   (BUTTON) Sign in to comment

   Be respectful, keep it civil and stay on topic. We delete comments that violate our policy, which we encourage you to read. Discussion threads can be closed at any time at our discretion.

   English | Español
   Upgrade to Windows 10 for free right now
   Amazon shopping hack
   Best Instant Pots
   Best live TV streaming services
   Windows 10 tips and tricks
   About CNET
   Help Center
   Privacy Policy
   Terms of Use
   Mobile User Agreement
   Ad Choice
   CA Privacy/Info We Collect
   CA Do Not Sell My Info
   Get the CNET app
   App Store
   Google Play
   © CBS Interactive Inc. All Rights Reserved.