LENA Health, an AI-based care coordination platform headquartered in Houston, Texas, is reported to have stored PHI for a number of patients in an unencrypted public-facing storage bucket, with claims that 2,134 patients’ complete PHI were included. According to FulcrumSec, access was gained via a major vulnerability that went public in early December, and Lena Health had a patch available since then but had not applied it by the time the attackers acted in December.
The forum listing also claims the bucket contained 19,542 recorded calls with patients and 68 discharge documents, though FulcrumSec later told DataBreaches that there were duplicates and that the true counts were lower. Lena Health is a business associate for Houston Methodist in Texas, and the breach involved patient data from that provider, with recordings revealing names, phone numbers and care coordinators.
The article notes that it is not clear whether all patients knew they were interacting with AI on recorded calls, and that neither Lena Health nor Houston Methodist responded to repeated inquiries.