Overview
Severity: CRITICAL | Affected: HealthLeap AI | Category: breach
HealthLeap AI, a prominent provider of AI-driven medical diagnostic tools, disclosed a critical data breach that has exposed the sensitive records of approximately 2 million patients. The breach occurred through an improperly secured API endpoint used for ingesting training data for their machine learning models. Attackers exploited an authentication bypass vulnerability to gain access to a cloud storage bucket containing patient names, medical histories, diagnostic imagery, and other protected health information (PHI). This incident underscores the significant security risks associated with handling sensitive data in AI development pipelines. HealthLeap AI is now facing regulatory scrutiny under HIPAA and multiple class-action lawsuits. The company has stated it is working with federal law enforcement and has hired a third-party cybersecurity firm to conduct a full forensic audit.