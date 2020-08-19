Experts Reaction On Discovery Of Over 2.5M Medical Records Publicily available

The security researcher Jeremiah Fowler discovered two folders of medical records in possession of artificial intelligence company Cense AI available for anyone to access on the Internet. The data was labeled as “staging data” and is believed to temporarily hosted online before loading it into the company’s management system or an AI bot. The medical records are quite detailed and include names, insurance records, medical diagnosis notes, and payment records. It looks as though the data was sourced from insurance companies and relates to car accident claims and referrals for neck and spine injuries.

EXPERTS COMMENTS
Mark Bower, Senior Vice President,  comforte AG
August 19, 2020
Organizations must at least operate under a HIPAA Business Associate Agreement with the data provider
Sensitive insurance claims processing data, which looks to be in the data in question, is regulated under HIPAA, GLBA, and various state security and privacy mandates in the US. Yet clearly, this data interchange lacked any data security to meet such rules. To receive such information, organizations must at least operate under a HIPAA Business Associate Agreement with the data provider.
[Read More >>]
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
August 19, 2020
Breaches involving even basic treatment information could be used in targeted attacks.
Cloud storage solutions are convenient and cost-effective, but we must not forget that proper configuration of any cloud service means configuring components, like S3 buckets, securely. Securely in this context implies that a review of the security requirements for the data stored, but also ensures that regulations like HIPPA are respected. With some people having fairly unique names, breaches involving even basic treatment information could be used in targeted attacks.
[Read More >>]
Paul Bischoff, Privacy Advocate,  Comparitech
August 19, 2020
Criminals could use the information to get treatment or prescriptions in someone else's name.
Cybercriminals could use the information exposed in this breach for health insurance fraud and phishing. Criminals could use the information to get treatment or prescriptions in someone else's name. Affected patients should also be on the lookout for scammers posing as their insurance company or a related organization.
[Read More >>]
Chris Hauk, Consumer Privacy Champion,  Pixel Privacy
August 19, 2020
Consumers need to be on their toes, staying alert for any bad guys that may have gotten their hands on this data.
Sadly, incidents like this, and many others are a sobering reminder that our personal medical information is always at risk of being exposed. Medical information is always some of the most valuable information for bad actors, and these days of COVID-19, this has never been more true. Companies need to learn to secure data, even if it is just being temporarily stored before moving it to a secure system.
[Read More >>]

