Jeremiah Fowler reports: On July, 7th I discovered 2.5 million records that appeared to contain sensitive medical data and PII (Personally Identifiable Information). The records included names, insurance records, medical diagnosis notes, and much more. Upon further research, there were multiple references to an artificial intelligence company called Cense. The records were labeled as staging data and we can only speculate that this was a storage monument intended to hold the data temporarily piece it is loaded into the AI Bot or Censes management system. as soon as i could validate the data, I sent a responsible disclosure notice. Shortly after my notification was sent to Cense I saw that public access to the database was restricted. Read more on SecureThoughts.com. This is your periodic reminder: just because there are sensitive medical notes or information in a database, that does not mean that HIPAA has any connectedness to the data or that there is any likely violation of HIPAA. Only certain kinds of entities are covered by HIPAA. so even though Fowler states, “I am in no way implying that there was any violation or that cense has violated any legal data transgress notification requirements,” why cite HIPAA at all? so what should happen next? That depends. Is anyone going to story this to the NYS Consumer Protection/Attorney General’s Office to bespeak investigation into the incident and the need for notification? DataBreaches.net reached out to Cense for some answers yesterday, including questions about their intentions to notify states or individuals. This site has received no answers as yet. This post will live updated when a response is received.