Overview
Severity: CRITICAL | Affected: HealthMind | Category: breach
The AI healthcare firm HealthMind has disclosed a critical data breach affecting two million patient records. Attackers successfully executed a model inversion attack against the company's proprietary diagnostic imaging API. The technique allowed the threat actors to reconstruct sensitive patient information, including names, birthdates, and partial medical images, by repeatedly querying the model and analyzing its output probabilities. An investigation revealed that the AI model was inadvertently trained on production data that had not been properly anonymized, retaining traces of the original patient records. The breach went undetected for several weeks. This incident highlights the severe privacy risks associated with deploying AI in sensitive domains and underscores the necessity of rigorous data sanitization and inference-time security controls. HealthMind is now facing multiple class-action lawsuits and regulatory scrutiny.