What about before/after photos in the cloud (Google Drive, Dropbox)?

Consumer Google Drive or Dropbox does not meet the HIPAA bar for patient photos: no Business Associate Agreement, no guaranteed US data residency, no audit log. Only business tiers with a signed BAA can be acceptable. We check where your photos actually live and which configurations would pass review and which would not.

Does the patient need to consent to the scan?

No. PreScan and CyberAudyt examine only internet-facing infrastructure - the domain, booking systems, account exposure. We do not reach into medical records or any individual patient's data, so their consent is not required. We assess what a potential attacker already sees, not the contents of any chart.

Does HIPAA apply to a med spa or aesthetic clinic?

It depends on whether you are a covered entity — meaning you transmit health information electronically in connection with a HIPAA-covered transaction (billing, referrals, prescriptions). Most clinics that bill insurance or share records with referring physicians are covered. Even if you are not, all 50 states have separate breach notification laws that apply regardless of HIPAA status.

What if a patient photo leaks - what are our obligations?

A before/after photo leak involving ePHI triggers the HIPAA Breach Notification Rule: you must notify affected patients and report to HHS within 60 days, and notify local media if 500+ records in a state are involved. State breach notification laws may require even faster notification. The best defence is preventive: PreScan and CyberAudyt find the risks before they become a breach, and if we detect an existing credential leak you get a list of accounts to change immediately.

What does the assessment look like for two locations?

Each location has its own attack surface - a separate IP, sometimes separate cameras, separate remote access. CyberAudyt covers both in one report, with particular attention to shared accounts and booking-system logins, which are a typical weak point across multiple sites. For larger networks we prepare a custom-scoped quote.

Will the test disrupt work during procedures?

No. PreScan is entirely external and passive - we do not touch the booking system, cameras or clinic network; we work from the same information an attacker would gather from outside. The full CyberAudyt also requires no schedule interruption and no on-site visit. Procedures run as normal while we work in the background.

Will the report be useful for my professional-liability insurer?

Yes. More cyber and medical-liability policies now require evidence of security measures - MFA, backups, an external audit. The CyberAudyt report (or the post-remediation re-scan report) is written so you can present it to an insurer as proof of due diligence - often the condition for a better premium, or for cover at all.

What does the report look like?

The CyberAudyt report is written for the physician running the clinic, not for an IT specialist: an executive summary, a findings list with severity ratings, a remediation plan, and a separate technical section for your IT provider or MSP. Plain English throughout.

If you find something, do we have to hire you to fix it?

No. The assessment identifies what needs fixing and in what order. Remediation can be done by your IT provider, the booking-system vendor, or any cybersecurity firm. If you do not have a trusted IT provider we can point you to a proven option - but there is no lock-in.

Aesthetic medicine clinics

Patient photos. Treatment records. Reputation.
One exposure can cost you all three.

A fixed-price aesthetic medicine clinic cybersecurity assessment. We check booking systems, before/after photo storage, social media accounts and remote access - exactly where an attacker looks for a way in. Free PreScan in 24 hours, full report in 5 business days. No IT department required on your end.

Book a free pre-scan

We know the systems your clinic runs on

Jane App
Vagaro
Mindbody
Boulevard
Aesthetic Record
Nextech
PatientNow
Symplast

The threat model

Why an aesthetic clinic is a different kind of target

The risk model of an aesthetic clinic differs from dentistry or accounting. Here reputation is the first stake and regulation the second - and it shows in four patterns the Verizon DBIR⁴ confirms about practices holding sensitive visual material.

Reputational blackmail, not data resale.

An attacker does not need to sell your patients' before/after photos - the threat of publishing a single recognisable frame is enough. It is the cleanest extortion model there is, and no other medical practice of this size holds material with such a high ratio of intimacy to blackmail value.

A recognisable patient raises the stakes.

Some of your patients are public figures - journalists, influencers, people in culture or politics. To an attacker their records are not one entry but leverage: leaking a single image can be a six-figure demand. That raises the risk profile of the whole clinic, not just one file.

Logins and social accounts are the shared weak point.

Practitioners running several locations often share access to the booking system, and the Instagram account - the primary revenue channel - is frequently one login for the whole team. Taking over that single account is an immediate revenue outage and access to the patient base at once.

The marketing channel as a direct target.

Taking over a clinic's Instagram or Facebook can be monetised directly - ransom to return the account, or abuse of the trusted profile to defraud followers. For a practice where 60-80% of bookings come from social media, that is a strike at the heart of the business.

The assessment

What we check at your clinic

Booking-system security

Jane App, Vagaro, Mindbody, Boulevard, Aesthetic Record, Nextech, PatientNow, Symplast - we check known vulnerabilities, exposed admin panels, staff access control, and whether a Business Associate Agreement (BAA) is in place with the vendor. The booking system is your patient base with visit history in one place.

Photo storage & backup

Where the before/after photos live - the practice system, Google Drive, Dropbox, a local disk or personal phones. We verify encryption at rest, whether a signed BAA exists with the cloud vendor, and whether the backup is reachable from the internet.

Marketing & consent workflow on social

Instagram/Facebook integrations, post-scheduling tools, and the image-consent flow. We assess account protection (phishing-resistant MFA, no shared logins) and whether a photo only reaches publication after a documented, separate consent to use the likeness.

Remote access to practice systems

Remote desktop and VPN connections into the system that holds medical records. We check whether access is publicly exposed, whether it is up to date, and whether MFA protects it - not just a password. Especially relevant for clinics with more than one location.

Cross-state and cross-border data transfer

Patients traveling from another state or country mean your records may cross state breach-notification jurisdictions. We check whether your privacy notice covers the applicable laws, and whether records shared with a referring provider have a signed BAA and a documented legal basis.

Email & consultation security

SPF, DKIM and DMARC configuration for your clinic domain, and the channel you use to send consultations and aftercare to patients. Without proper DMARC someone can impersonate the clinic; a consultation over WhatsApp or ordinary email is health data outside your control.

Layered protection

One patient photo, four legal regimes

A before/after photo is not an ordinary file. Several independent regimes protect the same data in parallel - which is why a single leak is often a triple legal exposure. The layers stack; satisfying one does not discharge the others.

HIPAA Security Rule

Before/after photos tied to a patient are ePHI. The Security Rule requires a documented risk analysis, access controls, encryption, audit logs, and a breach response procedure.

HIPAA Breach Notification Rule

A photo leak triggers mandatory notification to affected patients and HHS within 60 days. Breaches of 500+ records in a state require notification to local media — and public listing on the HHS "Wall of Shame."

State breach notification laws

All 50 states have their own breach notification statutes — many with shorter windows than HIPAA (some as low as 30 days) and no minimum-record threshold. State AG enforcement is independent of HHS.

Professional liability

A breach of patient images is also a privacy tort under state law. Medical liability insurers are increasingly requiring documented security controls as a condition of coverage — not a fine, a coverage denial.

Informational material, not legal advice. For specific questions, consult a lawyer specialising in medical or likeness law.

The real cost

What a clinic actually loses - in order of weight

The clinic's capital

Loss of patient trust

Reputation is the primary asset of an aesthetic medicine clinic. A leak of recognisable photos can permanently damage patient trust even with a successful legal response - and in a referral-driven field that feeds straight into a full schedule. It is the risk that outranks any fine.

Up to $2.07M1

Triple legal exposure

A single leaked patient photo can trigger three regimes at once: HIPAA penalties (up to $2.07M per violation category), state privacy tort claims from the patient, and professional liability for breach of medical confidentiality. The 60-day HHS notification clock starts the moment you discover it.

Booking outage

Revenue-channel takeover

Losing the Instagram or Facebook account means losing the main patient-acquisition channel overnight. Recovery through Meta takes weeks - if it happens at all. For a clinic where most bookings come from social media, a week-long outage rivals a ransom demand in cost.

See what a real report looks like

Here's what a PreScan report for an aesthetic clinic contains

We've redacted the clinic name and domain. Everything else is the real output - the findings, the HIPAA PHI photo-storage gap analysis, the social-account hardening checklist, and the prioritised remediation list you can hand to your IT provider the same day.

Request sample report …or skip the sample - get my own PreScan in 24 h

Deliverables

What you receive

Every clinic that orders the full assessment gets the same package - no tiers, no upsells, no "enterprise only" features held back.

Executive PDF report in plain language, peer-level - for the physician, not the IT department
Full vulnerability list with severity scores (Critical / High / Medium / Low) and CVSS where applicable
Before/after photo storage — HIPAA protected health information (PHI) gap analysis
Booking-system and social-account assessment with concrete hardening steps (MFA, roles, DPA)
Email security configuration guide for your clinic domain (SPF, DKIM, DMARC)
Credential exposure report - which team addresses, in which breaches, when
30-minute debrief call with the assessor to walk through findings

Pricing

Fixed price, visible up front

You start free. You only pay if there is something to fix. The CyberAudyt price is fixed - regardless of patient volume or seats; multi-location networks are quoted individually.

Start here

PreScan

Free

results in 24 h

Passive external scan of your clinic. We show what is visible from the internet - with zero access on your end. Answers whether there is anything to address at all.

CyberAudyt

$900

report in 5 business days

Full external assessment with manual verification: booking system, photo storage, social accounts, remote access, email. Plain-language, peer-level report with prioritised fixes and a 30-minute call. Fixed price regardless of patient volume.

Chain / multi-location

Custom scope

scoped to your network

For clinics with several locations, a high volume of influencer-patients (greater reputational exposure), or an insurer requirement - extended scope, including a full penetration test. Re-scan after remediation: 50% of the CyberAudyt price.

Guarantee: if CyberAudyt doesn't surface at least 3 actionable findings, you pay nothing.

Fixed price - no hourly billing, no surprises. Solo practice or a single room with no online booking: ask about a simplified scope. Clinic network or an insurer requirement: a custom quote, including a full penetration test.

Start with the free PreScan

Questions practitioners ask us

Aesthetic-clinic questions, answered

"Does the assessment cover my Jane App or Vagaro booking system?": Yes. We assess Jane App, Vagaro, Mindbody, Boulevard, Aesthetic Record, Nextech, PatientNow and Symplast — known vulnerabilities, exposed admin panels, staff access control, and whether a Business Associate Agreement (BAA) is in place with the vendor. We do not read patient records; we assess the attack surface, meaning what is visible and reachable from outside.
"What about before/after photos in the cloud (Google Drive, Dropbox)?": Consumer Google Drive or Dropbox does not meet the HIPAA bar for patient photos: no Business Associate Agreement, no guaranteed US data residency, no audit log. Only business tiers with a signed BAA can be acceptable. We check where your photos actually live and which configurations would pass review and which would not.
"Does the patient need to consent to the scan?": No. PreScan and CyberAudyt examine only internet-facing infrastructure - the domain, booking systems, account exposure. We do not reach into medical records or any individual patient's data, so their consent is not required. We assess what a potential attacker already sees, not the contents of any chart.
"Does HIPAA apply to a med spa or aesthetic clinic?": It depends on whether you are a covered entity — meaning you transmit health information electronically in connection with a HIPAA-covered transaction (billing, referrals, prescriptions). Most clinics that bill insurance or share records with referring physicians are covered. Even if you are not, all 50 states have separate breach notification laws that apply regardless of HIPAA status.
"What if a patient photo leaks - what are our obligations?": A before/after photo leak involving ePHI triggers the HIPAA Breach Notification Rule: you must notify affected patients and report to HHS within 60 days, and notify local media if 500+ records in a state are involved. State breach notification laws may require even faster notification. The best defence is preventive: PreScan and CyberAudyt find the risks before they become a breach, and if we detect an existing credential leak you get a list of accounts to change immediately.
"What does the assessment look like for two locations?": Each location has its own attack surface - a separate IP, sometimes separate cameras, separate remote access. CyberAudyt covers both in one report, with particular attention to shared accounts and booking-system logins, which are a typical weak point across multiple sites. For larger networks we prepare a custom-scoped quote.
"Will the test disrupt work during procedures?": No. PreScan is entirely external and passive - we do not touch the booking system, cameras or clinic network; we work from the same information an attacker would gather from outside. The full CyberAudyt also requires no schedule interruption and no on-site visit. Procedures run as normal while we work in the background.
"Will the report be useful for my professional-liability insurer?": Yes. More cyber and medical-liability policies now require evidence of security measures - MFA, backups, an external audit. The CyberAudyt report (or the post-remediation re-scan report) is written so you can present it to an insurer as proof of due diligence - often the condition for a better premium, or for cover at all.
"What does the report look like?": The CyberAudyt report is written for the physician running the clinic, not for an IT specialist: an executive summary, a findings list with severity ratings, a remediation plan, and a separate technical section for your IT provider or MSP. Plain English throughout.
"If you find something, do we have to hire you to fix it?": No. The assessment identifies what needs fixing and in what order. Remediation can be done by your IT provider, the booking-system vendor, or any cybersecurity firm. If you do not have a trusted IT provider we can point you to a proven option - but there is no lock-in.

Get a free PreScan for your clinic

You send us your domain. We tell you in 24 hours what an attacker sees from the outside - the booking system, social-account exposure, photo-storage gaps. If it's nothing serious, you keep the report and we disappear. If it's serious, you get a fixed-price proposal - no pressure, no subscription.

Book a free pre-scan Prefer to talk first? Contact us

No credit card. No access to your systems. No recurring fees.

Sources

¹HIPAA Civil Monetary Penalties and Security Rule — HHS OCR enforcement; HIPAA definition of protected health information (hhs.gov)
²IBM Cost of a Data Breach Report 2024 (ibm.com/reports/data-breach)
³HIPAA Breach Notification Rule — 60-day HHS notification and patient notification requirements (hhs.gov)
⁴Verizon Data Breach Investigations Report 2024 (verizon.com/dbir)

Patient photos. Treatment records. Reputation. One exposure can cost you all three.