Jeremiah Fowler reports:
On July, 7th I discovered 2.5 million records that appeared to contain sensitive medical data and PII (Personally Identifiable Information). The records included names, insurance records, medical diagnosis notes, and much more. Upon further research, there were multiple references to an artificial intelligence company called Cense. The records were labeled as staging data and we can only speculate that this was a storage repository intended to hold the data temporarily while it is loaded into the AI Bot or Cense’s management system. As soon as I could validate the data, I sent a responsible disclosure notice. Shortly after my notification was sent to Cense I saw that public access to the database was restricted.
Read more on SecureThoughts.com.
This is your periodic reminder: just because there are sensitive medical notes or information in a database, that does not mean that HIPAA has any connection to the data or that there is any likely violation of HIPAA. Only certain kinds of entities are covered by HIPAA. So even though Fowler states, “I am in no way implying that there was any violation or that Cense has violated any legal data breach notification requirements,” why mention HIPAA at all?
So what should happen next? That depends. Is anyone going to report this to the NYS Consumer Protection/Attorney General’s Office to request investigation into the incident and the need for notification?
DataBreaches.net reached out to Cense for some answers yesterday, including questions about their intentions to notify states or individuals. This site has received no answers as yet. This post will be updated when a response is received.