In the ever-changing world of cyber security there are few types of records that are as valuable or sensitive as medical data. On July, 7th I discovered 2.5 million records that appeared to contain PII. Anytime exposed data can be used to identify the individual users or clients is considered highly sensitive. In this case, I was able to see names, insurance records, medical diagnosis notes, and much more. My full discovery was published at Secure Thoughts, a website dedicated to privacy, security, and data protection. Here is a brief summary of what was found and how it potentially risked the identities of a large number of accident victims.
The records appeared to belong to New York based artificial intelligence company called Cense. The records were labeled as staging data and we can only speculate that this was a storage repository intended to hold the data temporarily while it is loaded into the AI Bot or Cense’s management system. As soon as I could validate the data, I sent a responsible disclosure notice. Shortly after my notification was sent to Cense I saw that public access to the database was restricted.
Big Data Equals Big Exposures
I saw information in the records that appeared to be individuals who were in car accidents and referred to chiropractic or other neck and spinal injuries. All of the insurance information was from auto insurance providers and this included the policy numbers, claim numbers, date of accidents, and other information.
Medical records are arguably the most the valuable type of data. Some report that medical records can sell for as much as $250 per record on the black market, while credit cards sold for only $5.40 per record. Any data exposure can potentially put users or customers at risk, but no other data is as high of a threat as medical or health records.
For more information, questions, or comments please reach out to me directly j(at)securitydiscovery.com