The SafetyDetectives cybersecurity team uncovered a data exposure affecting the Japanese medical Q&A service Doctors Me.
Doctors Me is a website that provides customers with on-demand access to professional medical advice.
An Amazon S3 bucket owned by the company was left open without proper access authorization and authentication controls in place, exposing sensitive data for around 12,000 people.
Doctors Me is part of an industry that’s seen rapid growth during the Covid-19 pandemic. As online consultation services become more commonplace, the bucket’s content demonstrates that patients need to be careful about the images they share through medical platforms.
In particular, images of children feature among Doctors Me’s bucket’s content, which presents further risks associated with this data breach.
Who is Doctors Me?
Doctors Me is a private company based in Tokyo, Japan. The company operates a website, doctors-me.com, which allows users to anonymously upload pictures of their ailments, illnesses, or various other afflictions to receive a consultation from a medical professional.
Doctors Me provides medical experts in each area of health and wellbeing: Doctors, pharmacists, nutritionists, dentists, and counselors. The site contains other forms of content that help visitors self-assess their medical condition, including lists of diseases and symptoms, a Q&A section, a blog, and a health checklist for common medical conditions.
Doctors me is an affordable service, offering payment plans between 324 JPY/month (~3 USD) and 540 JPY/month (~5 USD). The site is popular, too, with around 70,000 monthly web visitors (as per Crunchbase).
Various references to the company, along with the content of the open bucket, provide evidence that it belongs to Doctors Me.
What was Exposed?
In total, Doctors Me’s misconfigured Amazon S3 bucket has exposed 300,000+ files, equalling around 30 GB of data.
This data belongs to customers who used the on-demand consultation services offered by doctors-me.com.
Specifically, the unsecured bucket contained photos of symptoms that were uploaded by users. Tens of thousands of these files could be found on the bucket—over 12,000 images were unique.
Photos of symptoms exposed forms of sensitive customer data:
- images of medical conditions (of users or their dependents); including rashes, sores, dental issues, excrement, and more;
- images of faces; included in symptom images, many of which were children;
- images of animals; included in symptom images, though, these files were rare.
All of the files stored in the bucket were anonymously uploaded, although, in some cases, individuals can be identified through pictures of their faces.
Doctors Me’s Amazon S3 bucket was live and being updated at the time of discovery. Properly securing the bucket was the responsibility of Doctors Me, and thus, Amazon is in no way at fault for this data exposure
You can see evidence of these images below. Warning: Images contain graphic content.
Doctors Me is a Japanese company and, therefore, we assume the majority of the open bucket’s data belongs to Japanese citizens.
Based on the number of unique files stored on the bucket, we estimate there are around 12,000 users affected by this data exposure.
A full breakdown of Doctors Me’s data exposure is available in the following table.
|Number of files exposed||300,000+|
|Number of affected users||Around 12,000|
|Amount of data exposed||Around 30 GB|
We discovered the open Amazon S3 bucket on November 11th, 2021. We sent a message to Doctors Me on the same day.
On November 21st, 2021, we sent a follow-up message to Doctors Me and we also reached out to the Japanese Computer Emergency Response Team (CERT). On November 25th, 2021, we messaged Japanese CERT again and sent a message to AWS regarding Doctors Me’s bucket. The Japanese CERT told us they would reach out to the owner of the bucket. We sent follow-up messages to the Japanese CERT on December 15th, 2021, and January 10th, 2022. They replied on January 11th, 2022, informing us that they contacted AWS.
Doctors Me, its customers, and any other people included within the bucket’s content could face various impacts as a result of this data breach.
Data Breach Impact
We cannot and do not know whether malicious actors accessed the Amazon bucket’s content while it was open.
However, there may be several risks associated with Doctors Me’s bucket should malicious individuals have seen or downloaded its images. Exposed Doctors Me users and any exposed children could experience forms of crime.
Meanwhile, Doctors Me could face legal sanctions because of its misconfigured bucket.
Impact on Customers
Customers could face a breach of privacy, blackmail, and the potential distribution of explicit images.
Breach of Privacy
Criminals could potentially identify Doctors Me customers and any other dependents who have their face or unique identifiable characteristics (i.e. unique tattoos) pictured on the bucket. Hackers could also identify users if one of their medical pictures was uploaded to multiple other platforms (i.e. social media sites or medical forums).
The open AWS S3 bucket therefore breaches users’ privacy. Exposing sensitive medical information could have serious impacts on users’ everyday lives.
An exposed person could feel embarrassed and anxious about their medical condition, and could face ridicule and reputational damage should others find out. In some cases, exposing sensitive medical data can ultimately affect someone’s personal relationships, dating life, and job opportunities.
Exposed users could also be blackmailed if any bad actors found Doctors Me’s open bucket.
A medical condition is an extremely private and oftentimes embarrassing matter for the individual concerned. The bucket contains deeply personal pictures of graphic ailments—information that Doctors Me customers might want to keep to themselves, and rightly so. This is the reason Doctors Me describes its website as an “anonymous service.”
Medical professionals who offer consultations may not have any interest in identifying the individuals included within pictures. However, a criminal might see users on the bucket as vulnerable targets.
Bad actors could identify users and exploit the privacy of each user’s medical condition to extort them for money.
Although we saw no evidence of this in samples, Doctors Me’s bucket could feasibly contain images of nudity and private areas of users’ bodies. Again, criminals could exploit the privacy of this content to extort users for money.
Specifically, criminals could target identifiable users with blackmail—threatening to distribute private images unless a monetary fee is paid to the criminal.
Distribution of Photos of Exposed Minors
The bucket also contains pictures of children and their symptoms. At times, these images show private areas of the child’s body in order to display a medical condition.
Unfortunately, the presence of exposed minors suggests predators may take interest in the bucket’s content. Predators could gain access to the bucket’s content to download or distribute these images.
Infants and children are often so small that their entire body and face fit into one picture. For example, a picture of a rash on an infant’s stomach can feature the child’s face, too. This means, disturbingly, many children pictured are identifiable on the bucket. A predator could use this information to stalk children or cause further damage outside of the online space.
Impact on Doctors Me
Japan’s data protection law is the Act on the Protection of Personal Information (APPI). The legal framework set out in the APPI is governed by the Personal Information Protection Commission (PIPC).
The APPI demands that organizations properly and securely process, store, and distribute the personally identifiable information (PII) and sensitive data of Japanese citizens. Any breach of this legislation could result in sanctions and/or punishments for the “information handler.”
The PIPC could penalize any guilty employee with a maximum punishment of up to one year of imprisonment or a fine of 1 million JPY (approx. 9,000 USD). The PIPC could issue Doctors Me with a maximum fine of 100 million JPY (approx. 900,000 USD) should it find the company has breached the regulatory guidelines outlined in the APPI.
In addition to any regulatory sanctions or punishments, data subjects (i.e. Japanese citizens who’ve had their information exposed) have a right to seek compensation for any damages incurred from data loss or exposure.
Preventing Data Exposure
What steps can users take to keep their data secure? And what can one do to mitigate the potentially damaging consequences of a data breach?
Before we list some actionable tips, we should first mention that users of medical consultation platforms need to take specific precautions — these platforms require sensitive content and they’re becoming increasingly common.
Patients should avoid picturing identifiable information, such as name tags or personal IDs, and patients should avoid picturing their (or their child’s) face where possible. Patients should not include intimate images if they are not essential to the consultation.
Here are a few general tips to prevent data exposure:
- Only provide your personal information to individuals, organizations, or entities that you trust 100%.
- Only visit websites with a secure domain (i.e. websites with a “https” and/or closed lock symbol at the beginning of their domain name).
- Be cautious when providing your most important forms of personal information, such as your social security number.
- Provide the minimal amount of data requested by a website, e.g. If a scanned ID is needed to verify your age, blur out address data, ID numbers, and expiry dates before you submit your image.
- Create super-secure passwords that use a combination of letters, numbers, and symbols. Update your existing passwords regularly.
- Don’t click a link in an email (or anywhere else on the internet) unless you’re certain the source is legitimate.
- Edit your privacy settings on social media sites. Make sure your content is only visible to friends and trusted users.
- Don’t display or type out important forms of personal information (such as credit card numbers or passwords) when connected to an unsecured WiFi network.
- Educate yourself about cybercrime, data protection, and any additional steps you can take to mitigate the risk of phishing attacks and malware.
SafetyDetectives.com is the world’s largest antivirus review website.
The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data. The overarching purpose of our web mapping project is to help make the internet a safer place for all users.
Our previous reports have brought multiple high-profile vulnerabilities and data leaks to light, including 2.6 million users exposed by an American social analytics platform IGBlade, as well as a leak affecting the Brazilian Software company WSpot that exposed hundreds of thousands of client files.
For a full review of SafetyDetectives cybersecurity reporting over the past 3 years, follow SafetyDetectives Cybersecurity Team.