Overview
Severity: CRITICAL | Affected: CureAI | Category: breach
CureAI, a prominent AI-powered diagnostic platform, has confirmed a significant data breach exposing the sensitive health information of approximately 2.5 million patients. The breach was traced back to a publicly accessible vector database instance used to store and index patient data for their diagnostic LLM. The database, which contained detailed medical histories, diagnoses, and personal identifiers converted into embeddings, lacked basic authentication controls. Security researchers from Sentinel Labs discovered the exposed endpoint and noted that while the data was in embedding format, it was possible to reverse-engineer or cluster embeddings to re-identify individuals and infer sensitive conditions. This incident highlights the novel security challenges presented by emerging AI infrastructure and the critical need for robust security protocols for specialized databases like vector stores.