Overview
Severity: CRITICAL | Affected: SynthHealth AI | Category: breach
AI-powered healthcare diagnostics firm SynthHealth AI has disclosed a critical data breach that exposed the sensitive health information of approximately 1.5 million patients. Attackers exploited an insecure API endpoint used for the company's diagnostic imaging model, allowing them to perform a sophisticated model inversion attack. By repeatedly querying the API with crafted inputs, the threat actors were able to reconstruct sensitive training data, including patient names, diagnoses, and medical imagery. The incident highlights the severe risks of deploying AI systems with inadequate security controls in critical sectors. SynthHealth's incident response team stated that the vulnerable endpoint lacked proper authentication and rate-limiting, which enabled the large-scale data exfiltration. Regulatory bodies in the US and EU have launched investigations into the company's data handling and security practices.