Experts Reaction On Discovery Of Over 2.5M Medical Records Publicly available

The security researcher Jeremiah Fowler discovered two folders of medical records in possession of artificial intelligence company Cense AI available for anyone to access on the Internet. The data was labeled as “staging data” and is believed to temporarily hosted online before loading it into the company’s management system or an AI bot. The medical records are quite detailed and include names, insurance records, medical diagnosis notes, and payment records. It looks as though the data was sourced from insurance companies and relates to car accident claims and referrals for neck and spine injuries.

Experts Comments

August 19, 2020
Mark Bower
Senior Vice President
comforte AG
Sensitive insurance claims processing data, which looks to be in the data in question, is regulated under HIPAA, GLBA, and various state security and privacy mandates in the US. Yet clearly, this data interchange lacked any data security to meet such rules. To receive such information, organizations must at least operate under a HIPAA Business Associate Agreement with the data provider. The BAA outlines mandatory data security controls including data de-identification, encryption, and audit......Read More
Sensitive insurance claims processing data, which looks to be in the data in question, is regulated under HIPAA, GLBA, and various state security and privacy mandates in the US. Yet clearly, this data interchange lacked any data security to meet such rules. To receive such information, organizations must at least operate under a HIPAA Business Associate Agreement with the data provider. The BAA outlines mandatory data security controls including data de-identification, encryption, and audit. While the benefits of third-party AI services are clear, to avoid breaches like this, the data owner as well as the AI service should also consider protecting the data set before sharing and use, for example, with modern data-centric tokenization. This technology balances insight and utility with exposure risk, enabling insight and use of data in low-trust IT. In this case, there’s likely to be significant regulatory response cost which could have been avoided with some very low cost and simple data-security investments that pale in comparison to the cost of remediation.  Read Less
August 19, 2020
Paul Bischoff
Privacy Advocate
Comparitech
Cybercriminals could use the information exposed in this breach for health insurance fraud and phishing. Criminals could use the information to get treatment or prescriptions in someone else's name. Affected patients should also be on the lookout for scammers posing as their insurance company or a related organization.
August 19, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
Sadly, incidents like this, and many others are a sobering reminder that our personal medical information is always at risk of being exposed. Medical information is always some of the most valuable information for bad actors, and these days of COVID-19, this has never been more true. Companies need to learn to secure data, even if it is just being temporarily stored before moving it to a secure system. Any data that is not secured properly is up for grabs. I feel like I am forced to say this.....Read More
Sadly, incidents like this, and many others are a sobering reminder that our personal medical information is always at risk of being exposed. Medical information is always some of the most valuable information for bad actors, and these days of COVID-19, this has never been more true. Companies need to learn to secure data, even if it is just being temporarily stored before moving it to a secure system. Any data that is not secured properly is up for grabs. I feel like I am forced to say this on a daily basis in recent months, but here goes. Consumers need to be on their toes, staying alert for any bad guys that may have gotten their hands on this data and are using it in an attempt to glean more information or perpetrate monetary fraud by posing as a member of a billing firm or even worse, a member of medical staff.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts