DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Japanese medical online consultation site leaking consumer-submitted images of symptoms

Posted on March 22, 2022 by Dissent

After multiple unsuccessful attempts to get a popular Japanese medical online consultation site to secure a misconfigured bucket, researchers at SafetyDetectives have decided to publicly disclose the leak.

Doctors Me provides customers with on-demand access to professional medical advice. People can sign up for a monthly unlimited access plan (for less than $3.00 per month) or a per consultation plan with specified experts.

The patients can use the service anonymously, but in uploading pictures or details about themselves or their children, they may reveal identifying information. Some of the image files reportedly provide sufficient views to be able to identify some patients or children.

Rash
One of the images in a misconfigured bucket showed the rash on an infant’s face. Image credit and redaction: SafetyDetectives.

When first discovered, the misconfigured bucket contained more than 300,000 image files.  SafetyDetectives could not provide a firm count of how many unique consumers had personal information exposed, but estimate that there are at least 12,000 unique individuals represented.

The misconfigured bucket was discovered on November 11, 2021. SafetyDetectives notified Doctors Me the same day and sent a follow-up message to the firm and the Japanese Computer Emergency Response Team (CERT) on November 21. On November 25, they sent a second notice to CERT and also contacted Amazon AWS. On December 15 and January 10, they sent more notifications to Japanese CERT. On January 11, CERT informed SafetyDetectives that they contacted Amazon AWS.

Despite SafetyDetectives’ efforts, the bucket still has not been secured. Although Amazon will reach out to let their customers know if they receive reports of unsecured buckets, the responsibility to secure the bucket remains with the customer.

SafetyDetectives could not determine when the bucket was first exposed. Nor could it determine how many individuals or scrapers might have accessed the exposed files. The oldest file in the bucket reportedly dates to 2015, and the bucket was still being updated at the time of discovery.

A spokesperson for SafetyDetectives informed DataBreaches.net that they never received any response at all from Doctors Me. When asked why they decided to disclose the problem at this time, the spokesperson answered:

We always do our best to have the data secured before we publish anything. But sometimes, waiting so much can also be harmful for the data as it gives the opportunity to other actors (with less ethical mindset) to find it and exploit it. We tried several times to contact the company, we also tried the CERT in Japan, the hosting… We’ve used all our resources. Our last chance for the company to know about their misconfiguration is to publish our report and hope they’ll read about it in the news and finally secure it.

Additional details about their findings and possible risks to consumers from this leak can be found in SafetyDetectives’ full report.

Under Japan’s Act on the Protection of Personal Information (APPI), there is an obligation to properly secure personally identifiable information. Was Doctors Me required to notify the government of this incident? Was it required to notify consumers? And if it did have notification obligations, has it complied with them?

DataBreaches.net sent a contact form inquiry to Doctors Me on March 20, asking whether they were notifying patients of the incident, whether they had notified the Personal Information Protection Commission (PIPC), and what they were doing in response to this incident. No reply has been received by the time of this publication.

If anyone has a contact at Doctors Me or knows any of the doctors/experts who might be able to get the firm to lock down the bucket, please let them know about the data exposure.

Category: Breach IncidentsCommentaries and AnalysesExposure

Post navigation

← Threat actors leak data from Scottish Association for Mental Health
Microsoft confirms they were hacked by Lapsus$ extortion group →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.