The data also includes records belonging to victims of auto-related accidents.
2.5 million medical records containing sensitive and confidential data have been exposed by a New York-based artificial intelligence company called Cense. Jeremiah Fowler a researcher and co-founder of Security Discovery on 7th July discovered the exposed data potentially risking millions of lives and identities openly.
It is worth noting that the details of the beach were only shared recently on 17th August. The company in question called Cense.ai provides an artificial intelligence bot that helps automate processes and assist employees and customers with quick information.
Further investigation by Fowler brought light to what caused the misconfiguration and data vulnerability. Basically, the records were termed as ‘staging data’ that functioned as a storage repository intended to hold the data temporarily before it was loaded on Cense Bot or Cense’s management system.
Although, Fowler was unable to validate whether this was just one client or several clients’ exposed data. He did, however, stumble upon two folders, one contained 1.58 million records and the latter ensued 830,000 entries.
However, the blip on the radar is that anyone with a conceptual grasp could have easily edited, delete, or even download the files without any administrative credentials in pursuit.
Moreover, a whopping 2,594,261 medical records were exposed which included Personally identifiable information (PII) and other sensitive information such as patient names, insurance records, medical diagnosis, and payment information. Also, such callousness could have opened doors for ransomware.
What is rather unnerving is the fact that once the medical records were accessible, a further probe led Fowler to patients who were in car accidents. Even their referrals to chiropractors for neuromuscular disorders such as spinal or neck injuries were readily exposed and available.
The security researcher also conducted a validation process that led him to believe that the data in the wrong hands could have easily identified the customers.
I simply searched several very obscure or unique names using Google and ironically there would be only 1 or 2 people in the entire United States with that name, geolocation, and matching age range. This is what led me to assume this is real data and these are real individuals, wrote Fowler in a blog post.
However, Fowler informed Cense about the exposed data shorty after which the access to the database was restricted. Nevertheless, if the notification wasn’t sent the sensitive information could have been subject to further hacking and fraudulent activities.
It is still unclear whether Cense has reported the data exposure to the individuals at risk.
On July 8th I sent a second message confirming that public access had been restricted and the data was no longer exposed. Unfortunately, no one replied to my initial notification or follow up message. No one from Cense has provided a statement or comments regarding the data incident at the time of publication, revealed Fowler.
The incident should not come as a surprise since misconfigured databases have exposed billions of sensitive records in the last couple of years. In fact, the situation is so critical that according to a new poll database configuration errors are the number one threat to cloud security.
Only last month, another security researcher and consultant named Volodymyr ‘Bob’ Diachenko discovered 3.1 million patients data exposed by a medical software company called Adit, a Houston, TX-based company. The misconfigured Elasticsearch cluster included confidential information and yet again had no authentication or passwords ensuing exposed permeability.