Overview
Severity: CRITICAL | Affected: GenHealth AI | Category: breach
GenHealth AI, a prominent provider of AI-powered diagnostic tools for hospitals, has disclosed a significant data breach affecting approximately 1.5 million patient records. The breach occurred due to a misconfigured API endpoint in their "DiagnoseAssist" platform, which was designed to allow hospital systems to upload and analyze medical imaging data. Attackers exploited a lack of proper authentication and rate-limiting on this endpoint, allowing them to exfiltrate sensitive patient data over several weeks. The exposed data includes patient names, dates of birth, medical diagnoses, and links to high-resolution medical images. GenHealth AI's internal investigation revealed that the vulnerable endpoint was a legacy component that was not properly decommissioned. The company is now facing regulatory scrutiny under HIPAA and GDPR, and has notified affected individuals and healthcare providers.