Overview
Severity: CRITICAL | Affected: GenHealth AI | Category: breach
The AI-powered diagnostic startup, GenHealth AI, has disclosed a severe data breach affecting approximately five million patients. Attackers did not compromise traditional databases but instead exploited a vulnerability in the company's public-facing diagnostic AI model. Using a sophisticated model inversion technique, the threat actors were able to reconstruct sensitive patient data that the model had memorized from its training set. By sending a high volume of carefully crafted queries and analyzing the model's confidence scores and outputs, they successfully extracted fragments of personally identifiable information (PII) and protected health information (PHI), including names, diagnostic notes, and genetic markers. This incident marks one of the largest breaches attributed directly to a model vulnerability rather than infrastructure insecurity. It serves as a critical warning about the privacy risks of data memorization in large-scale AI systems, particularly those trained on sensitive datasets like medical records, and is expected to trigger intense regulatory scrutiny.