The security researcher Jeremiah Fowler discovered two folders of medical records in possession of artificial intelligence company Cense AI available for anyone to access on the Internet. The data was labeled as “staging data” and is believed to temporarily hosted online before loading it into the company’s management system or an AI bot. The medical records are quite detailed and include names, insurance records, medical diagnosis notes, and payment records. It looks as though the data was sourced from insurance companies and relates to car accident claims and referrals for neck and spine injuries.
EXPERTS COMMENTS
Tim Mackey, Principal Security Strategist, Synopsys CyRC
August 19, 2020
Breaches involving even basic treatment information could be used in targeted attacks.
Cloud storage solutions are convenient and cost-effective, but we must not forget that proper configuration of any cloud service means configuring components, like S3 buckets, securely. Securely in this context implies that a review of the security requirements for the data stored, but also ensures that regulations like HIPPA are respected. With some people having fairly unique names, breaches involving even basic treatment information could be used in targeted attacks such as those seen with spear-phishing. While it's heartening to learn that Cense AI was quick to restrict access upon notification, if an organisation is struggling to understand the implications of their storage model, from either of a security or a privacy perspective, then they should engage with professionals or consultancies skilled in conducting threat models, software architecture reviews and performing penetration testing. Independent of any regulatory sanctions, these security reviews help avoid the reputational damage that is an inevitable result from a data breach while containing the costs of both forensic reviews and the incident response itself.
Paul Bischoff, Privacy Advocate, Comparitech
August 19, 2020
Criminals could use the information to get treatment or prescriptions in someone else's name.
Cybercriminals could use the information exposed in this breach for health insurance fraud and phishing. Criminals could use the information to get treatment or prescriptions in someone else's name. Affected patients should also be on the lookout for scammers posing as their insurance company or a related organization.
Chris Hauk, Consumer Privacy Champion, Pixel Privacy
August 19, 2020
Consumers need to be on their toes, staying alert for any bad guys that may have gotten their hands on this data.
Sadly, incidents like this, and many others are a sobering reminder that our personal medical information is always at risk of being exposed. Medical information is always some of the most valuable information for bad actors, and these days of COVID-19, this has never been more true. Companies need to learn to secure data, even if it is just being temporarily stored before moving it to a secure system. Any data that is not secured properly is up for grabs. I feel like I am forced to say this on a daily basis in recent months, but here goes. Consumers need to be on their toes, staying alert for any bad guys that may have gotten their hands on this data and are using it in an attempt to glean more information or perpetrate monetary fraud by posing as a member of a billing firm or even worse, a member of medical staff.
