Overview
Severity: CRITICAL | Affected: OmniHealth AI | Category: breach
Healthcare technology firm OmniHealth AI disclosed a critical data breach that exposed the sensitive records of approximately 2.5 million patients. The breach originated from a misconfigured API endpoint connected to their proprietary machine learning model, which is used by hospitals for analyzing medical imagery. An independent security researcher discovered the vulnerability, finding that the API lacked proper authentication, allowing public access to the model's training and inference data. This dataset contained a vast trove of Protected Health Information (PHI), including patient names, birth dates, medical diagnoses, and high-resolution medical scans. The incident highlights the growing risk of insecure AI system deployment in critical sectors. OmniHealth AI has since secured the API, reported the breach to federal regulators under HIPAA, and is in the process of notifying affected individuals. The breach is expected to result in significant regulatory fines and has sparked a wider discussion on mandatory security audits for AI in healthcare.