Overview
Severity: CRITICAL | Affected: SynthCare AI | Category: breach
SynthCare AI, a prominent developer of AI-powered diagnostic tools for the healthcare industry, has disclosed a critical data breach that exposed the sensitive records of approximately 2 million patients. In a novel attack vector, threat actors did not breach the company's databases directly. Instead, they employed a sophisticated model inversion attack against SynthCare's publicly-facing diagnostic API. By sending a high volume of structured queries to the AI model, the attackers were able to reverse-engineer and reconstruct parts of the original training dataset. This dataset contained sensitive personally identifiable information (PII) and protected health information (PHI), including names, birthdates, and partial diagnostic notes. The incident is a stark reminder of the privacy risks associated with deploying AI models trained on sensitive user data. Security experts are highlighting the urgent need for techniques like differential privacy and rigorous model auditing to prevent such data reconstruction attacks.