2.5 Million Patient Records Hosted by Cense AI Compromised Over the Internet

Technology and security consultant Jeremiah Fowler reported that the personal and health data of over 2.5 million patients were compromised on the web.

On July 7, 2020, two folders comprising the data were found publicly available over the web and without requiring any passwords to access. An artificial intelligence company called Cense AI hosted the folders marked as “staging data.” Cense AI is a firm that delivers SaaS-based intelligent process automation management solutions. The folders were managed on a similar IP address as the Cense website and were accessible by taking out the port from the IP address, which can be carried out by anybody using an Internet connection. The data could have been seen, changed, or downloaded when it was open to the public.

An evaluation of the data implies it was accumulated from insurance providers and relate to persons who were involved in vehicle accidents and were referred for treatment for neck and spinal problems. The information was particularly thorough and listed patient names, dates of birth, addresses, claim numbers, policy numbers, diagnosis information, payment details, accident date, and other details. Many people in the data set were located in New York. As a whole, 2,594,261 patient data were exposed from two folders.

Fowler discovered very uncommon names and made a Google search to check if those persons were real, reviewing the name, place, and demographic details. Fowler was convinced that this was a genuine data set and wasn’t fake information. Fowler sent a message to Cense by means of email and although there was no answer, the data became inaccessible on July 8, 2020.

Fowler believes that the information was momentarily placed into a storage location prior to being placed into Cense’s management or AI system. The length of time the information was exposed cannot be determined.

At present, no breach notice is published on the Cense webpage and the incident is also not yet posted on the HHS’ Office for Civil Rights webpage. Fowler mentioned he merely accessed minimal information for validation purposes and didn’t acquire any patient records; nevertheless, when the folders were unsecured, it is likely that other people may have located and accessed the data.

Data leaks such as this incident are very widespread. Wrong configurations of web resources like S3 buckets and Elasticsearch instances usually allow the exposure of sensitive data. Cybercriminals are continually seeking exposed records and it doesn’t take long to find data. One study done by Comparitech showed that it takes merely several hours to find exposed Elasticsearch instances.

Cloud services have several pros over on-premises tools, yet it is important to put in place defenses on any cloud data and to implement policies and procedures that would allow rapid identification of improper configurations and resolve them.