Medical Data of Auto Accident Victims Exposed Online
Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose a leak of millions of personal medical records by an Artificial Intelligence company. Here are his findings:
On July, 7th I discovered 2.5 million records that appeared to contain sensitive medical data and PII (Personally Identifiable Information). The records included names, insurance records, medical diagnosis notes, and much more. Upon further research, there were multiple references to an artificial intelligence company called Cense. The records were labeled as staging data and we can only speculate that this was a storage repository intended to hold the data temporarily while it is loaded into the AI Bot or Cense’s management system. As soon as I could validate the data, I sent a responsible disclosure notice. Shortly after my notification was sent to Cense I saw that public access to the database was restricted.
According to their Linkedin profile: “Cense provides SaaS-based intelligent process automation management solutions. Its product includes Cense Bot that allows users to automate the tasks, assist employees and employees with information. Other solutions include tickets management, appointment scheduling and process cycle management and more. It also provides end-to-end business process management using machine learning technologies. It caters solutions to education, healthcare, retail and e-commerce”.
There were multiple clinics, insurance providers, and accounts listed and It appeared to be one of their clients’ data, but I was never able to validate exactly who the client was or if this was all of their clients. There were two separate folders with suspected medical data one contained 1.58 million and the other had 830,000 records. The misconfiguration and exposed data were stored directly on the same IP address as Cense’s website. When removing the port from the IP address anyone with an internet connection could directly access the staging portal. This made verifying the owner of the dataset easy, but it also potentially exposed other areas of their network by keeping their entire cloud infrastructure in one place.
READ MORE ON: How to Hide Your IP Address
Data Paints a Picture
Based on the information I saw inside the records, this dataset appeared to be individuals who were in car accidents and referred to chiropractic or other neck and spinal injuries. All of the insurance information was from auto insurance providers and this included the policy numbers, claim numbers, date of accidents, and other information. Of the sampling I reviewed, nearly all of them were based in New York, but I can not rule out that individuals from other states were not affected. As a Security Researcher, I never extract or download the data I find and only review and validate a limited sampling. It is often a race against the clock to protect the data and notify the organization as fast as possible and that can limit the time it takes to analyze the data thoroughly.
The validation process is different for every discovery, but looking at names and locations can provide clues to determine if it is real or dummy data. To do this I simply searched several very obscure or unique names using Google and ironically there would be only 1 or 2 people in the entire United States with that name, geolocation, and matching age range. This is what led me to assume this is real data and these are real individuals. The law firms and other data also matched up to real individuals. My goal is always to help secure exposed data and responsibly notify the owners of the data we discover before it is compromised, stolen, or wiped out by ransomware.
Medical data is the most valuable and it is bought and sold daily on the Dark Web. The infosec company Trustwave published a report that valued medical records at $250 per record on the black market, while credit cards sold for $5.40 per record. It is easy to see why Cyber Criminals would want to target the most valuable data above all others. Companies and organizations must do a better job to protect the data they collect and store, but when that data may include medical or patient information it should never be stored in plain text.
What was in the database:
- This database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 2,594,261 Total Records Exposed
- Names, insurance records, medical diagnosis notes that could potentially violate HIPAA regulations. (In selective sampling, we were able to validate some of the obscure names to individuals living in the New York area).
- Records that indicated payment and collections amounts and totals
- Database at risk for ransomware
- IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.
Whenever there is a potential data exposure, companies have an obligation and a duty to notify users when their data is involved. In this case, the most concerning thing was that I could see names, dates of birth, addresses, and medical notes that could potentially violate HIPAA laws. I am in no way implying that there was any violation or that Cense has violated any legal data breach notification requirements. However, the penalties for violating HIPAA rules can be severe and amount to fines up to a maximum of $25,000 per violation. I am only highlighting the facts of my discovery to raise awareness.
Any data exposure can potentially put users or customers at risk, but no other data is as high of a threat as medical or health records. The database also contained internal records that were at risk for a ransomware attack. It is unclear how long the data was exposed or who else may have had access to the data. It is also unclear if the authorities or impacted individuals have been notified of the data exposure. On July 8th I sent a second message confirming that public access had been restricted and the data was no longer exposed. Unfortunately, no one replied to my initial notification or follow up message. No one from Cense has provided a statement or comments regarding the data incident at the time of publication.
According to Cense’s website, the company has offices in New York City and Mumbai, India. Under New York law, the “Information Security Breach and Notification Act,” effective December 7, 2005, provides New York State residents with the right to know when a security breach has resulted in the exposure of their private information. Under section 899-aa of the General Business Law, a person or business conducting business must also notify the NYS Attorney General; the NYS Division of State Police; and the Department of State’s Division of Consumer Protection.