Cense.ai is an Artificial Intelligence company that works in a wide range of areas. According to the company website, Cense.ai focuses on “Automated Machine Learning, Faster AI Models,” and the development of a “Knowledge Repository.” It is this last practice that led to the company exposing over 2.5 million medical records. According to researcher Jeremiah Fowler, all of the records were readily available to view or download by anyone with an Internet connection.
Though it remains unclear how long the data was available online, Fowler made the discovery on July 7th, 2020. As soon as he knew what he was looking at, he immediately contacted the company hosting the data, Cense.ai. Soon after the discovery and Fowler’s discloser notice, Cense.ai restricted public access to the data. However, Fowler is not sure how long the data was available or if anyone accessed it before it was taken down.
Not only is medical data considered extremely sensitive personal information, but it’s also highly profitable. According to Fowler, just one medical record can sell for $250 or more to cybercriminals. That means that the data Cense.ai left exposed could have been worth somewhere between $600-$700 million on the black market. So far, Cense.ai has not made a public statement about the breach or their attempts to ensure greater cybersecurity going forward.
Though the exact cause of the exposure is not known, Fowler believes that the data was temporarily put online while Cense.ai before being transferred to its own management system. It may sound like a small error, but this oversight put millions of people’s personal identifiable medical information on full display. According to initial reports, the exact number of records exposed was 2,594,261.
In his disclosure, Fowler stated that the records he found included names, insurance and medical records, as well as payment information. The data appeared to be sourced from auto insurance claims that focused on neck and spinal injuries. Thus, the people whose information was exposed are for the most part also the victims of auto accidents involving serious injuries.
While it’s good that people like Jeremiah Fowler are working to make the Internet more secure, it’s frightening to see the lack of oversight company’s take with sensitive data. Businesses all over the world collect personal data from billions of people every single day. Even with security measures in place, some information is bound to be leaked or stolen. Any business working with PII (personal identifiable information) needs to stay vigilant in terms of its cybersecurity efforts.
In the case of Cense.ai’s data exposure, virtually no precautionary measures were taken. The data was simply left available to anyone online. If someone with malicious intentions obtained any of it — which is highly plausible —personal medical information might already be spreading throughout the deep web.
Cense.ai’s lack of cybersecurity could also pose a huge legal issue for the company. Given the enormity of the error, they might be at risk for a class action lawsuit. Cense.ai is located in New York, where HIPAA violations are taken very seriously. So, even if the company doesn’t face any individual or class action lawsuits, they might face heavy fines and penalties from the state government. Worst case scenario for the company, Cense.ai might be forced to cease operations.
This latest disclosure of medical data shows the current state of cybersecurity vulnerabilities. While Cense.ai can potentially face penalties, there’s unfortunately nothing that can be done about the data that was already exposed. In order to truly protect citizens in the virtual sphere, leaks like these must be made aware to the masses so those affected can take proper action to protect themselves.
