‘Cense.AI’ Exposed 2.5 Million Medical Records Online

  • An AI-based SaaS solution provider has exposed a large number of sensitive records online.
  • The firm has also risked its network to ransomware attacks and even a catastrophic takeover.
  • The data that has been leaked concern people who receive medical services following a car accident.

According to a report by unprotected database hunter Jeremiah Fowler, ‘Cense.AI’ has left a temporary data storage repository online and accessible by anyone with a web browser, possibly due to an error. Unfortunately, the database contained 2,594,261 records consisting of sensitive medical information and PII.

More specifically, there were full names, dates of birth, addresses, insurance records, medical diagnosis notes, clinics, insurance provider details, accounts, payment records, and more. In addition to that, some of the details could lead to a network compromise event such as IP addresses, ports, pathways, storage information, etc.

Fowler noticed the repeated references to Cense, so he quickly identified the data owner. ‘Cense.AI’ is a SaaS solution provider that deploys advanced AI bots to help with data management. Cense develops automated machine learning algorithms to help its clients automate tasks and processes, and gradually phase out the need for human intervention.

Source: Security Thoughts

While this sounds like a great way to save on time and resources, it resulted in a pretty damaging data breach in this particular case.

The researcher found two folders containing the data mentioned above and managed to access anything by removing the port from the IP address of the Cense’s website. Clearly, the data was stored in Cense’s cloud infrastructure.

By looking deeper into the entries, the researcher found a common denominator: all individuals listed there had a car accident. In most cases, there was also information like policy numbers, claim numbers, date of the accident, and other relevant stuff. In most cases, the entries concerned New York citizens, although Fowler didn’t get the chance to look on all of the records.

This data is a trove in the hands of phishing actors and scammers, as there’s a wide range of possible exploitation scenarios that stream from it. Unfortunately, Cense has decided to pretend that nothing happened. They issued no official statement or announcement, and they sent no notification letters to the affected individuals.

The database was discovered on July 7, 2020, when the researcher sent a notification to Cense. The next day, the firm closed down public access but didn’t respond to Fowler’s messages and never clarified the initial exposure date.

Under New York law (“Information Security Breach and Notification Act” – 2005), the company is obliged to inform the authorities of the breach, which they may or may not have done. Also, under section 899-aa of the General Business Law, the NY Attorney General should be notified of the breach, but we could not find any entry associated with this incident yet.

Read More:



U.S. Lawmakers Submitted Law Proposal to Help Consumers Cancel Their Subscriptions

American Senators prepare a new law that would help make unsubscribing easier.Too many companies currently exploit the gap in the legislation, engaging...

Support for Old GPRS-Era Encryption Standard Creates Security Issues on Modern Smartphones

Several new models of smartphones still support old network encryption standards from decades ago.This creates a set of problems as there’s a...

Scammers Are Now Sending Fake Ledger USB Devices Over Post Mail

Ledger phishing campaigns are getting increasingly sophisticated and elaborate, as Reddit users report.Some people report receiving “Nano X” replacements via post mail,...