Canadian plastic surgery center and spa were leaking patient files
Dr. M.W. Elmaraghy, a Canadian plastic surgeon, owns SpaSurgica, an outpatient plastic surgery clinic in Waterloo. He also owns Rejuvenate Medical Spa, which is at the same location as SpaSurgica.
On December 27, Bob Diachenko of the MacKeeper Security Research team contacted DataBreaches.net to say they had discovered patient data from those two entities was exposed and that anyone could access it and acquire it without any login required.
“Tons of clinical reports, medical histories, PII and patient pictures (mostly before/after breast augmentation procedures)!” they wrote. In subsequent correspondence, Diachenko stated that there were “thousands” of patient medical histories, many very detailed and some including reference to issues such as cocaine use. The files they provided to this site as examples included the patients’ full name, date of birth, telephone number, pre-operative diagnoses, description of the procedure(s), post-operative diagnoses, and clinical notes. For breast reconstruction referrals following mastectomies, the medical histories were quite detailed. None of the files this site saw had been encrypted.
The MacKeeper team also found that there were hundreds of photos of patients in an archive from August, 2016. Those pictures, often of women with breasts exposed, were in folders with the patients’ names, Diachenko told DataBreaches.net.
DataBreaches.net will not be posting any of the nude pictures of patients that were exposed due to the leak. While some patients seemingly permit the clinic to use before and after pictures on their site, DataBreaches.net does not know if all the patients whose pictures were available to the world without any login required gave consent to share their pictures publicly or to identify them by name. To spare them potential embarrassment, DataBreaches.net did not contact any of the patients.
In addition to patient photos and medical files and reports, some exposed files revealed infrastructure and security information that should not have been publicly available, such as their router login credentials, administrator passwords, and other details that hackers would likely find very helpful.
The problem, Diachenko explained, was that the clinic had its Rsync device open on port 873. The leaky device had been discovered during a routine Shodan.io search.
MacKeeper Security Research Center has now written up the incident on their blog, here.
Frustrating Incident Response, Redux
Recognizing the sensitivity of the material, MacKeeper sent notification that same day to employees of the two domains, using email addresses found in the exposed files. They got no response, so on December 29, DataBreaches.net sent a private message to Rejuvenate Medical Spa’s Twitter team. There was no response.
By January 3, the device was still not secured and neither SpaSurgica nor Rejuvenate Medical Spa had responded to the security team’s notifications or this site’s private message on Twitter, so DataBreaches.net sent an email notification to Dr. Elmaraghy using yet a third email address of theirs.
By January 5, there was still no response to the security researchers or to this site from either SpaSurgica or Rejuvenate Medical Spa, and the files remained unsecured.
On January 6, DataBreaches.net called SpaSurgica and had a somewhat unsatisfactory conversation with someone at their front desk, who commented that one of the email addresses MacKeeper had used belonged to an employee who no longer worked there (then why didn’t that attempt bounce back?). She did acknowledge, however, getting this site’s email of January 3.
But if they got the January 3 notification, why didn’t they respond and why were the files still unsecured?
Her answer was that they had put the email aside to show the doctor, because, you know, they get a lot of email and it could have been spam.
They put it aside for three days? My notification to them didn’t ask them to click on any links. Nor did it try to sell them any service. It described their problem, our attempts to reach them, the IP address where the data were exposed, the Port 873 issue, and stated:
The files – with confidential medical reports on patients and pictures of nude patients for breast surgeries are still exposed/available to the world and can be found by anyone who knows how to search Shodan.
I would encourage you to contact your IT department or outside IT expert urgently to secure the files.
And it got put aside for days until I called.
How do you say “wth” in Canadian?
As fate would have it, their IT guy walked in while I was on the phone with front desk. They showed him my email. I spoke with him for maybe one minute and then he was off to secure the device after agreeing that they would get back to me to let me know whether there was evidence that the data had been accessed or acquired. I had also asked them in my emails whether they intended to notify patients whose information was available to the world.
When MacKeeper checked again later that day, the device was secured.
SpaSurgica never got back to me to tell me whether there was evidence that the data had been accessed or exfiltrated. Nor did they indicate whether they would be notifying patients.
Come to think of it, neither SpaSurgica nor Rejuvenate ever even sent any acknowledgement, much less thanks to MacKeeper or this site for our repeated efforts to alert them to their problem.
Another day, another data leak, another less than ideal incident response.
This post will be updated if more information becomes available.
Justin Shafer - January 10, 2017