Overview
Severity: CRITICAL | Affected: CuraAI | Category: breach
The AI-driven healthcare diagnostics company, CuraAI, has confirmed a massive data breach exposing the sensitive personal and medical records of approximately 5 million patients. The incident was traced back to a misconfigured AWS S3 bucket that was left publicly accessible. The exposed data, which was being used to train CuraAI's diagnostic models, included patient names, dates of birth, medical histories, and high-resolution medical imagery. A security researcher discovered the exposed bucket on June 20th and alerted the company, which secured the data within hours. However, evidence suggests the data was accessible for at least three months prior to its discovery. The breach highlights the critical importance of robust cloud security posture management, especially when handling sensitive data for AI training. CuraAI is now facing multiple class-action lawsuits and regulatory investigations under both HIPAA and GDPR, with potential fines reaching into the hundreds of millions.