Ontario based plastic surgery clinic leaks thousands of customer’s medical records online

Popular articles

10 / 01 / 2017

Ontario based plastic surgery clinic leaks thousands of customer’s medical records online

Researchers from the MacKeeper Security Research Center discovered an unprotected remote synchronization (rsync) service that was active at an IP address tied to SpaSurgica, Canadian plastic surgery company. The backup device contained the detailed medical history of thousands of patients that were publically accessible with no password protection or encryption methods. Medical records are among the most private and sensitive data and can pose a serious risk for patients and doctors alike. These records could potentially be used to file false claims, extort patients, or even employer bias against sick patients who may miss work because of their illness or medical history. This is why securing and protecting medical data should always be a top priority.

The files contained before and after pictures of breast augmentation, implants, and reduction. SpaSurgica also offers labial reduction, liposuction, and a wide range of plastic surgery options that many customers would want private. The pictures, descriptions, and medical history of each patient gives an intimate look at what type of data was leaked. These are not just home addresses and medical records, these are intimate pictures of patient's bodies. There was also access to unencrypted text files containing usernames and passwords for accounts, printers, and other password protected protected logins.

We are grateful to Dissent from databreaches.net who participated in this investigation and helped to notify Dr. Mohamed Elmaraghy’s office of the leak. Access has since been closed and is no longer publically available. We never heard back from SpaSurgica, although several notification emails were sent immedidately after discovery.

Read more on her story here: https://www.databreaches.net/canadian-plastic-surgery-center-and-spa-were-leaking-patient-files

Network infrastructure passwords in plain text.

Patient Pictures archive contained hundreds of images.

The patients' names are associated with the images.

Medical records can be extremely private and sensitive. This is just an example of one of the thousands of scanned or fax files shows a patient who not only shared how her parents died and every major medical issue she has faced, but also included details about cocaine addiction. Drug addiction and health records unfortunately can influence employment or how employers view employees with private medical conditions or challenges.  


Canadian Law Protects Patients in Data Leaks

According to the website of the Information and Privacy Commissioner of Ontario there is a strict process regarding the theft or leakage of private medical data. Under the Personal Health Information Protection Act, 2004 (PHIPA), physicians are obligated to keep their patients’ personal health information confidential. PHIPA also provides a legal obligation on physicians to maintain and comply with information practices that keep their patients’ personal health information protected against theft, loss or unauthorized use or disclosure. If personal health information is stolen, lost or accessed by unauthorized individuals.  

The Law Requires Containment and Notification:

If faced with a privacy breach, there are two priorities that must be addressed immediately:

  1. Containment: Identify the scope of the potential breach and take the steps necessary to contain it

  2. Notification: Affected individuals must be notified as soon as possible

Investigate and Remediate:  

Once the breach is contained and the affected parties are notified, you must conduct an internal investigation.



For more information or media requests please contact security@kromtech.com