2.5 Million Patient Records Exposed by Cense AI Online

Technology and security consultant Jeremiah Fowler announced that the personal and health information of about 2.5 million patients were exposed on the internet.

On July 7, 2020, two folders that contain the information were found publicly accessible online and without needing any passwords to get access. An artificial intelligence firm known as Cense AI hosted the folders tagged as “staging data.” Cense AI is a company that offers SaaS-based intelligent process automation management services. The folders were located on an identical IP address like the Cense website and were accessible by taking away the port from the IP address, which may be done by any person having a web connection. The information may have been viewed, modified, or downloaded at the time it was publicly accessible.

A review of the information indicates it was gathered from insurance firms and refer to people who were engaged in car accidents and were referred for therapy for spinal and neck injuries. The data was very precise and contained patient names, birth dates, addresses, policy numbers, claim numbers, diagnosis remarks, payment information, date of the accident, and other data. Most persons in the data set were from New York. Altogether, 2,594,261 files were compromised from two folders.

Fowler found particularly uncommon names and conducted a Google search to confirm if those people were real, verifying the name, location and demographic information. Fowler contended that this was a true data set and wasn’t phony information. Fowler contacted Cense through email and though there was no reply, the data became unavailable on July 8, 2020.

Fowler thinks that the data were briefly kept into a storage space before being stored into Cense’s management or AI system. The period of time the data was compromised cannot be established.

At this time, no breach notice is posted on the Cense website and the breach is likewise not yet shared on the HHS’ Office for Civil Rights breach portal. Fowler stated he just accessed some information for confirmation purposes and didn’t obtain any patient data; nonetheless, while the folders were accessible, it is probable that other persons might have discovered and gotten the information.

Data leaks like this occurrence are quite prevalent. Improper configurations of online resources like Amazon S3 buckets and Elasticsearch instances often let the exposure of sensitive data. Cybercriminals are continuously looking for exposed information and it doesn’t take much time to locate data. One research performed by Comparitech demonstrated that it takes only a couple of hours to discover exposed Elasticsearch instances.

Cloud services provide a lot of merits over on-premises options, however, it is crucial to implement securities on any web information and to enforce policies and procedures that will enable fast identification of improper settings and fix them.