SpaSurgica: Canadian Plastic Surgery Leaks Customer’s Records
The files contained before and after pictures of breast augmentation, implants, and reduction. SpaSurgica also offers labial reduction, liposuction, and a wide range of plastic surgery options that many customers would want private. The pictures, descriptions, and medical history of each patient gives an intimate look at what type of data was leaked. These are not just home addresses and medical records, these are intimate pictures of patient's bodies. There was also access to unencrypted text files containing usernames and passwords for accounts, printers, and other password protected protected logins.
The MacKeeper team are grateful to Dissent from databreaches.net who participated in this investigation and helped to notify Dr. Mohamed Elmaraghy’s office of the leak. Access has since been closed and is no longer publically available. We never heard back from SpaSurgica, although several notification emails were sent immedidately after discovery.
Read more on her story here.
Network infrastructure passwords in plain text.
Patient Pictures archive contained hundreds of images.
The patients' names are associated with the images.
Medical records can be extremely private and sensitive. This is just an example of one of the thousands of scanned or fax files shows a patient who not only shared how her parents died and every major medical issue she has faced, but also included details about cocaine addiction. Drug addiction and health records unfortunately can influence employment or how employers view employees with private medical conditions or challenges.
Canadian Law Protects Patients in Data Leaks
According to the website of the Information and Privacy Commissioner of Ontario there is a strict process regarding the theft or leakage of private medical data. Under the Personal Health Information Protection Act, 2004 (PHIPA), physicians are obligated to keep their patients’ personal health information confidential. PHIPA also provides a legal obligation on physicians to maintain and comply with information practices that keep their patients’ personal health information protected against theft, loss or unauthorized use or disclosure. If personal health information is stolen, lost or accessed by unauthorized individuals.
The Law Requires Containment and Notification:
If faced with a privacy breach, there are two priorities that must be addressed immediately:
- Containment: Identify the scope of the potential breach and take the steps necessary to contain it.
Notification: Affected individuals must be notified as soon as possible.
- Investigate and Remediate: once the breach is contained and the affected parties are notified, you must conduct an internal investigation.