‘Cense.AI’ Exposed 2.5 Million Medical Records Online

  • An AI-based SaaS solution provider has exposed a large number of sensitive records online.
  • The firm has also risked its network to ransomware attacks and even a catastrophic takeover.
  • The data that has been leaked concern people who receive medical services following a car accident.

According to a report by unprotected database hunter Jeremiah Fowler, ‘Cense.AI’ has left a temporary data storage repository online and accessible by anyone with a web browser, possibly due to an error. Unfortunately, the database contained 2,594,261 records consisting of sensitive medical information and PII.

More specifically, there were full names, dates of birth, addresses, insurance records, medical diagnosis notes, clinics, insurance provider details, accounts, payment records, and more. In addition to that, some of the details could lead to a network compromise event such as IP addresses, ports, pathways, storage information, etc.

Fowler noticed the repeated references to Cense, so he quickly identified the data owner. ‘Cense.AI’ is a SaaS solution provider that deploys advanced AI bots to help with data management. Cense develops automated machine learning algorithms to help its clients automate tasks and processes, and gradually phase out the need for human intervention.

Source: Security Thoughts

While this sounds like a great way to save on time and resources, it resulted in a pretty damaging data breach in this particular case.

The researcher found two folders containing the data mentioned above and managed to access anything by removing the port from the IP address of the Cense’s website. Clearly, the data was stored in Cense’s cloud infrastructure.

By looking deeper into the entries, the researcher found a common denominator: all individuals listed there had a car accident. In most cases, there was also information like policy numbers, claim numbers, date of the accident, and other relevant stuff. In most cases, the entries concerned New York citizens, although Fowler didn’t get the chance to look on all of the records.

This data is a trove in the hands of phishing actors and scammers, as there’s a wide range of possible exploitation scenarios that stream from it. Unfortunately, Cense has decided to pretend that nothing happened. They issued no official statement or announcement, and they sent no notification letters to the affected individuals.

The database was discovered on July 7, 2020, when the researcher sent a notification to Cense. The next day, the firm closed down public access but didn’t respond to Fowler’s messages and never clarified the initial exposure date.

Under New York law (“Information Security Breach and Notification Act” – 2005), the company is obliged to inform the authorities of the breach, which they may or may not have done. Also, under section 899-aa of the General Business Law, the NY Attorney General should be notified of the breach, but we could not find any entry associated with this incident yet.

Read More:



How to Get Paramount Plus on Android TV in 2021

Your Android TV device now has access to a whole new library of movies, TV shows, sports content, and plenty more – all within a single app....

How to Get Paramount Plus on PlayStation in 2021

There’s no doubt that PlayStation is more than a gaming-oriented platform. PS consoles act as entrainment hubs, providing access to all kinds...

How to Get Paramount Plus on Xbox in 2021

Aside from having access to an extensive library of games, Xbox users are often among the first to receive new media streaming...