‘Cense.AI’ Exposed 2.5 Million Medical Records Online

By Bill Toulas / August 19, 2020

According to a report by unprotected database hunter Jeremiah Fowler, ‘Cense.AI’ has left a temporary data storage repository online and accessible by anyone with a web browser, possibly due to an error. Unfortunately, the database contained 2,594,261 records consisting of sensitive medical information and PII.

More specifically, there were full names, dates of birth, addresses, insurance records, medical diagnosis notes, clinics, insurance provider details, accounts, payment records, and more. In addition to that, some of the details could lead to a network compromise event such as IP addresses, ports, pathways, storage information, etc.

Fowler noticed the repeated references to Cense, so he quickly identified the data owner. ‘Cense.AI’ is a SaaS solution provider that deploys advanced AI bots to help with data management. Cense develops automated machine learning algorithms to help its clients automate tasks and processes, and gradually phase out the need for human intervention.


Source: Security Thoughts

While this sounds like a great way to save on time and resources, it resulted in a pretty damaging data breach in this particular case.

The researcher found two folders containing the data mentioned above and managed to access anything by removing the port from the IP address of the Cense’s website. Clearly, the data was stored in Cense’s cloud infrastructure.

By looking deeper into the entries, the researcher found a common denominator: all individuals listed there had a car accident. In most cases, there was also information like policy numbers, claim numbers, date of the accident, and other relevant stuff. In most cases, the entries concerned New York citizens, although Fowler didn’t get the chance to look on all of the records.

This data is a trove in the hands of phishing actors and scammers, as there’s a wide range of possible exploitation scenarios that stream from it. Unfortunately, Cense has decided to pretend that nothing happened. They issued no official statement or announcement, and they sent no notification letters to the affected individuals.

The database was discovered on July 7, 2020, when the researcher sent a notification to Cense. The next day, the firm closed down public access but didn’t respond to Fowler’s messages and never clarified the initial exposure date.

Under New York law (“Information Security Breach and Notification Act” - 2005), the company is obliged to inform the authorities of the breach, which they may or may not have done. Also, under section 899-aa of the General Business Law, the NY Attorney General should be notified of the breach, but we could not find any entry associated with this incident yet.

Read More:

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: