Cense.ai is an artificial intelligence company that operates in a wide variety of fields. According to the company’s website, Cense.ai is focused on “Automated Machine Learning, Faster AI Models” and the development of a “knowledge repository”. It is this final practice that resulted in the company revealing over 2.5 million medical records. According to researcher Jeremiah Fowler, all records could be viewed or downloaded by anyone with an internet connection.
Although it remains unclear how long the data was available online, Fowler made the discovery on July 7, 2020. As soon as he knew what he was seeing, he immediately contacted the company hosting the data, Cense.ai. Shortly after the discovery and Fowler’s announcement, Cense.ai restricted public access to the data. However, Fowler isn’t sure how long the data was available or if someone accessed it before it was removed.
Not only is medical data considered extremely sensitive personal information, it is also extremely profitable. According to Fowler, only one medical record can be sold to cyber criminals for $ 250 or more. That means the data that Cense.ai disclosed could be worth anywhere from $ 600 million to $ 700 million on the black market. To date, Cense.ai has not made a public statement about the breach or its attempts to ensure greater cybersecurity in the future.
Although the exact cause of the exposure is unknown, Fowler believes the data was temporarily put online during Cense.ai before being transferred to its own management system. It may sound like a minor mistake, but that oversight has fully displayed the personal identifiable medical information of millions of people. According to initial reports, the exact number of records uncovered was 2,594,261.
In his disclosure, Fowler stated that the records he found included names, insurance and medical records, and payment information. The data appears to have come from auto insurance claims that focused on neck and spine injuries. Most of the people whose information was disclosed are also victims of car accidents with serious injuries.
While it’s good that people like Jeremiah Fowler are working to make the internet safer, it’s frightening to see that companies don’t have oversight over sensitive data. Companies around the world collect personal data from billions of people every day. Even with security measures in place, some information can be leaked or stolen. Any company that works with personally identifiable information (PII) needs to remain vigilant about its cybersecurity efforts.
Virtually no precautionary measures were taken in the case of data exposure by Cense.ai. The data was simply made available to everyone online. If anyone with malicious intent received any of this – which is highly plausible – personal medical information may already be spreading on the deep web.
The lack of cybersecurity at Cense.ai could also pose a huge legal problem for the company. Given the huge mistake, they may be at risk of a class action lawsuit. Cense.ai is located in New York, where HIPAA violations are taken very seriously. Even if the company does not face individual or class action lawsuits, it can face hefty fines and penalties from the state government. In the worst case scenario, Cense.ai could be forced to shut down.
This latest medical data disclosure highlights the current state of cybersecurity vulnerabilities. Unfortunately, while Cense.ai may face penalties, nothing can be done about the data that has already been disclosed. In order to really protect citizens in the virtual realm, such leaks need to be made aware of the masses so that those affected can take appropriate measures to protect themselves.