DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Canadian plastic surgery center and spa were leaking patient files

Posted on January 10, 2017 by Dissent

Dr. M.W. Elmaraghy, a Canadian plastic surgeon, owns SpaSurgica, an outpatient plastic surgery clinic in Waterloo. He also owns Rejuvenate Medical Spa, which is at the same location as SpaSurgica.

On December 27, Bob Diachenko of the MacKeeper Security Research team contacted DataBreaches.net to say they had discovered patient data from those two entities was exposed and that anyone could access it and acquire it without any login required.

“Tons of clinical reports, medical histories, PII and patient pictures (mostly before/after breast augmentation procedures)!”  they wrote. In subsequent correspondence, Diachenko stated that there were “thousands” of patient medical histories, many very detailed and some including reference to issues such as cocaine use.  The files they provided to this site as examples included the patients’ full name, date of birth, telephone number, pre-operative diagnoses, description of the procedure(s), post-operative diagnoses, and clinical notes. For breast reconstruction referrals following mastectomies, the medical histories were quite detailed. None of the files this site saw had been encrypted.

The MacKeeper team also found that there were hundreds of photos of patients in an archive from August, 2016. Those pictures, often of women with breasts exposed, were in folders with the patients’ names, Diachenko told DataBreaches.net.

DataBreaches.net will not be posting any of the nude pictures of patients that were exposed due to the leak. While some patients seemingly permit the clinic to use before and after pictures on their site, DataBreaches.net does not know if all the patients whose pictures were available to the world without any login required gave consent to share their pictures publicly or to identify them by name. To spare them potential embarrassment, DataBreaches.net did not contact any of the patients.

In addition to patient photos and medical files and reports, some exposed files revealed infrastructure and security information that should not have been publicly available, such as their router login credentials, administrator passwords, and other details that hackers would likely find very helpful.

The problem, Diachenko explained, was that the clinic had its Rsync device open on port 873. The leaky device had been discovered during a routine Shodan.io search.

MacKeeper Security Research Center has now written up the incident on their blog, here.

Frustrating Incident Response, Redux

Recognizing the sensitivity of the material, MacKeeper sent notification that same day to employees of the two domains, using email addresses found in the exposed files. They got no response, so on December 29, DataBreaches.net sent a private message to Rejuvenate Medical Spa’s Twitter team. There was no response.

By January 3, the device was still not secured and neither SpaSurgica nor Rejuvenate Medical Spa had responded to the security team’s notifications or this site’s private message on Twitter, so DataBreaches.net sent an email notification to Dr. Elmaraghy using yet a third email address of theirs.

By January 5, there was still no response to the security researchers or to this site from either SpaSurgica or Rejuvenate Medical Spa, and the files remained unsecured.

On January 6, DataBreaches.net called SpaSurgica and had a somewhat unsatisfactory conversation with someone at their front desk, who commented that one of the email addresses MacKeeper had used belonged to an employee who no longer worked there (then why didn’t that attempt bounce back?). She did acknowledge, however, getting this site’s email of January 3.

But if they got the January 3 notification, why didn’t they respond and why were the files still unsecured?

Her answer was that they had put the email aside to show the doctor, because, you know, they get a lot of email and it could have been spam.

They put it aside for three days? My notification to them didn’t ask them to click on any links. Nor did it try to sell them any service. It described their problem, our attempts to reach them, the IP address where the data were exposed, the Port 873 issue, and stated:

The files – with confidential medical reports on patients and pictures of nude patients for breast surgeries are still exposed/available to the world and can be found by anyone who knows how to search Shodan.

I would encourage you to contact your IT department or outside IT expert urgently to secure the files.

And it got put aside for days until I called.

How do you say “wth” in Canadian?

As fate would have it, their IT guy walked in while I was on the phone with front desk. They showed him my email. I spoke with him for maybe one minute and then he was off to secure the device after agreeing that they would get back to me to let me know whether there was evidence that the data had been accessed or acquired. I had also asked them in my emails whether they intended to notify patients whose information was available to the world.

When MacKeeper checked again later that day, the device was secured.

SpaSurgica never got back to me to tell me whether there was evidence that the data had been accessed or exfiltrated. Nor did they indicate whether they would be notifying patients.

Come to think of it, neither SpaSurgica nor Rejuvenate ever even sent any acknowledgement, much less thanks to MacKeeper or this site for our repeated efforts to alert them to their problem.

Another day, another data leak, another less than ideal incident response.

This post will be updated if more information becomes available.

Related posts:

  • Forbes Breach Email Statistics
  • TeamGhostShell posts “master list” of 548 leaks (so far)
  • A further 512 websites hacked and defaced by HaX.R00T
  • 1,355 Indian websites Hacked by hax.r00t n saadi Pakistani hackers
Category: Breach IncidentsExposureHealth DataNon-U.S.

Post navigation

← Hello Kitty Database of 3.3 Million Users Surfaces
Marijuana dispensaries hit by hack of tracking software system →

1 thought on “Canadian plastic surgery center and spa were leaking patient files”

  1. Justin Shafer says:
    January 10, 2017 at 4:56 pm

    Zzzzzzzzz

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.