AI firm exposes 2.5 million sensitive medical records online