[BreachExchange] AI firm exposes 2.5 million sensitive medical records online

[Destry Winant]

https://www.hackread.com/ai-firm-exposes-sensitive-medical-data-online/

The data also includes records belonging to victims of auto-related accidents.

2.5 million medical records containing sensitive and confidential data
have been exposed by a New York-based artificial intelligence company
called Cense. Jeremiah Fowler a researcher and co-founder of Security
Discovery on 7th July discovered the exposed data potentially risking
millions of lives and identities openly.

It is worth noting that the details of the beach were only shared
recently on 17th August. The company in question called Cense.ai
provides an artificial intelligence bot that helps automate processes
and assist employees and customers with quick information.

Further investigation by Fowler brought light to what caused the
misconfiguration and data vulnerability. Basically, the records were
termed as ‘staging data’ that functioned as a storage repository
intended to hold the data temporarily before it was loaded on Cense
Bot or Cense’s management system.

Although, Fowler was unable to validate whether this was just one
client or several clients’ exposed data. He did, however, stumble upon
two folders, one contained 1.58 million records and the latter ensued
830,000 entries.

However, the blip on the radar is that anyone with a conceptual grasp
could have easily edited, delete, or even download the files without
any administrative credentials in pursuit.

Moreover, a whopping 2,594,261 medical records were exposed which
included Personally identifiable information (PII) and other sensitive
information such as patient names, insurance records, medical
diagnosis, and payment information. Also, such callousness could have
opened doors for ransomware.

What is rather unnerving is the fact that once the medical records
were accessible, a further probe led Fowler to patients who were in
car accidents. Even their referrals to chiropractors for neuromuscular
disorders such as spinal or neck injuries were readily exposed and
available.

The security researcher also conducted a validation process that led
him to believe that the data in the wrong hands could have easily
identified the customers.

I simply searched several very obscure or unique names using Google
and ironically there would be only 1 or 2 people in the entire United
States with that name, geolocation, and matching age range. This is
what led me to assume this is real data and these are real
individuals, wrote Fowler in a blog post.

However, Fowler informed Cense about the exposed data shorty after
which the access to the database was restricted. Nevertheless, if the
notification wasn’t sent the sensitive information could have been
subject to further hacking and fraudulent activities.

It is still unclear whether Cense has reported the data exposure to
the individuals at risk.

On July 8th I sent a second message confirming that public access had
been restricted and the data was no longer exposed. Unfortunately, no
one replied to my initial notification or follow up message. No one
from Cense has provided a statement or comments regarding the data
incident at the time of publication, revealed Fowler.

The incident should not come as a surprise since misconfigured
databases have exposed billions of sensitive records in the last
couple of years. In fact, the situation is so critical that according
to a new poll database configuration errors are the number one threat
to cloud security.

Only last month, another security researcher and consultant named
Volodymyr ‘Bob’ Diachenko discovered 3.1 million patients data exposed
by a medical software company called Adit, a Houston, TX-based
company. The misconfigured Elasticsearch cluster included confidential
information and yet again had no authentication or passwords ensuing
exposed permeability.