DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Canadian plastic surgery center and spa were leaking patient files

Posted on January 10, 2017 by Dissent

Dr. M.W. Elmaraghy, a Canadian plastic surgeon, owns SpaSurgica, an outpatient plastic surgery clinic in Waterloo. He also owns Rejuvenate Medical Spa, which is at the same location as SpaSurgica.

On December 27, Bob Diachenko of the MacKeeper Security Research team contacted DataBreaches.net to say they had discovered patient data from those two entities was exposed and that anyone could access it and acquire it without any login required.

“Tons of clinical reports, medical histories, PII and patient pictures (mostly before/after breast augmentation procedures)!”  they wrote. In subsequent correspondence, Diachenko stated that there were “thousands” of patient medical histories, many very detailed and some including reference to issues such as cocaine use.  The files they provided to this site as examples included the patients’ full name, date of birth, telephone number, pre-operative diagnoses, description of the procedure(s), post-operative diagnoses, and clinical notes. For breast reconstruction referrals following mastectomies, the medical histories were quite detailed. None of the files this site saw had been encrypted.

The MacKeeper team also found that there were hundreds of photos of patients in an archive from August, 2016. Those pictures, often of women with breasts exposed, were in folders with the patients’ names, Diachenko told DataBreaches.net.

DataBreaches.net will not be posting any of the nude pictures of patients that were exposed due to the leak. While some patients seemingly permit the clinic to use before and after pictures on their site, DataBreaches.net does not know if all the patients whose pictures were available to the world without any login required gave consent to share their pictures publicly or to identify them by name. To spare them potential embarrassment, DataBreaches.net did not contact any of the patients.

In addition to patient photos and medical files and reports, some exposed files revealed infrastructure and security information that should not have been publicly available, such as their router login credentials, administrator passwords, and other details that hackers would likely find very helpful.

The problem, Diachenko explained, was that the clinic had its Rsync device open on port 873. The leaky device had been discovered during a routine Shodan.io search.

MacKeeper Security Research Center has now written up the incident on their blog, here.

Frustrating Incident Response, Redux

Recognizing the sensitivity of the material, MacKeeper sent notification that same day to employees of the two domains, using email addresses found in the exposed files. They got no response, so on December 29, DataBreaches.net sent a private message to Rejuvenate Medical Spa’s Twitter team. There was no response.

By January 3, the device was still not secured and neither SpaSurgica nor Rejuvenate Medical Spa had responded to the security team’s notifications or this site’s private message on Twitter, so DataBreaches.net sent an email notification to Dr. Elmaraghy using yet a third email address of theirs.

By January 5, there was still no response to the security researchers or to this site from either SpaSurgica or Rejuvenate Medical Spa, and the files remained unsecured.

On January 6, DataBreaches.net called SpaSurgica and had a somewhat unsatisfactory conversation with someone at their front desk, who commented that one of the email addresses MacKeeper had used belonged to an employee who no longer worked there (then why didn’t that attempt bounce back?). She did acknowledge, however, getting this site’s email of January 3.

But if they got the January 3 notification, why didn’t they respond and why were the files still unsecured?

Her answer was that they had put the email aside to show the doctor, because, you know, they get a lot of email and it could have been spam.

They put it aside for three days? My notification to them didn’t ask them to click on any links. Nor did it try to sell them any service. It described their problem, our attempts to reach them, the IP address where the data were exposed, the Port 873 issue, and stated:

The files – with confidential medical reports on patients and pictures of nude patients for breast surgeries are still exposed/available to the world and can be found by anyone who knows how to search Shodan.

I would encourage you to contact your IT department or outside IT expert urgently to secure the files.

And it got put aside for days until I called.

How do you say “wth” in Canadian?

As fate would have it, their IT guy walked in while I was on the phone with front desk. They showed him my email. I spoke with him for maybe one minute and then he was off to secure the device after agreeing that they would get back to me to let me know whether there was evidence that the data had been accessed or acquired. I had also asked them in my emails whether they intended to notify patients whose information was available to the world.

When MacKeeper checked again later that day, the device was secured.

SpaSurgica never got back to me to tell me whether there was evidence that the data had been accessed or exfiltrated. Nor did they indicate whether they would be notifying patients.

Come to think of it, neither SpaSurgica nor Rejuvenate ever even sent any acknowledgement, much less thanks to MacKeeper or this site for our repeated efforts to alert them to their problem.

Another day, another data leak, another less than ideal incident response.

This post will be updated if more information becomes available.

No related posts.

Category: Breach IncidentsExposureHealth DataNon-U.S.

Post navigation

← Hello Kitty Database of 3.3 Million Users Surfaces
Marijuana dispensaries hit by hack of tracking software system →

1 thought on “Canadian plastic surgery center and spa were leaking patient files”

  1. Justin Shafer says:
    January 10, 2017 at 4:56 pm

    Zzzzzzzzz

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.