"Lena Health is on the small side compared to our other victims, but we are so sick of the endless "AI-driven" SaaS (Slop As A Service) startups that we've made a point of targeting these snake oil vendors specifically. Especially those ones that deal with vulnerable populations and stock their users' PHI and other sensitive data on vulnerable servers accessible by the entire internet."
"The listing claims that Lena Health "stored 2,134 patients' complete PHI in an unencrypted database export sitting in a public-facing S3 bucket." In email, however, FulcrumSec provided DataBreaches with greater clarity about the situation, explaining that they gained access via a major vulnerability that went public in early December. There was a patch available since early December, but Lena Health had not yet patched by the time they were attacked a week or two later in Decembe"
Serviceaide experienced a data breach that exposed the protected health information of 483,000 Catholic Health patients in Buffalo, New York; the breach occurred in 2024 and was discovered in May 2025, prompting at least six federal class-action lawsuits. A separate, smaller breach involved Lena Health, an AI-based care coordination platform; a hacking forum listing claimed an unencrypted S3 bucket contained 2,134 patients' complete PHI and included Twilio call recordings and discharge documents with last names redacted. Attackers exploited a major vulnerability disclosed in early December; a patch existed but Lena Health had not applied it before the compromise.
#healthcare-data-breach #protected-health-information-phi #ai-healthcare-vendors #unpatched-vulnerability
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]