Japanese Healthcare Firm ‘Doctors Me’ Exposed Images of 12,000 Patients

In Total Doctors Me left 30GB worth of data exposed to the public due to a misconfigured Amazon S3 bucket.

Safety Detectives’ cybersecurity experts uncovered an exposed Amazon S3 bucket belonging to a Japanese medical Q&A services provider, Doctors Me. It is an online consultation services provider offering visitors/customers on-demand access to professional medical advice.

What Happened

According to Safety Detectives, a cloud misconfiguration led to the exposure of thousands of patient images, including infants and even animals. Since it is a Tokyo-based service, researchers believe that most of the exposed data belong to Japanese citizens.

The Amazon S3 bucket was reportedly left open without any authentication measures. The company allows users to upload their pictures of their ailment, medical condition, or illness anonymously to get a consultation from a medical specialist via Doctors Me. The exposed data belongs to people who used its on-demand consultation service.

More Healthcare Topics

1. Importance Of Medical Alert Devices In 2021
2. Medical software firm leaks personal data of 3.1 million patients
3. Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices
4. IT guy from FEMA hacked medical center, sold data on the dark web
5. Medical records & patient-doctor recordings of thousands of people exposed

Sensitive Data of 12,000 People Exposed

In a blog post, Safety Detectives confirmed that the exposed database contained sensitive data of at least 12,000 patients. According to its report, the exposed database had more than 300,000 files, and around 30GB of data was exposed, impacting thousands of users of Doctors Me.

The leaked database included images of children, which explains the extent of data sensitivity. It is worth noting that all 12,000 images were unique, Safety Detectives researchers noted. 

Though most of the files were anonymously uploaded on the bucket, some individuals could be identified as their faces were obvious in the pictures. Moreover, this bucket was live and updated at the time of its discovery. Threat actors can easily cross-check images with social media profiles and identify people, exposing them to a variety of threats such as blackmailing or extortion.

An exposed person could feel embarrassed and anxious about their medical condition, and could face ridicule and reputational damage should others find out. In some cases, exposing sensitive medical data can ultimately affect someone’s relationships, dating life, and job opportunities.

Safety Detectives

It isn’t yet clear if this bucker was secured after being discovered. Safety Detectives contacted Japanese CERT and Doctors Me on November 21, 2021, first and then one week later, it notified CERT and AWS. It again informed them in December and January 2022.