AI Healthcare Platform Lena Health Hit by Major Data Breach Exposing Sensitive Patient Data
On June 1, 2025, cybersecurity researchers uncovered a significant data breach at Lena Health, an AI-powered care coordination platform based in Houston, Texas. The breach, attributed to the hacking group FulcrumSec, exposed the protected health information (PHI) of over 2,100 patients, primarily from Houston Methodist, along with thousands of recorded phone calls and sensitive medical documents.
How the Breach Occurred
FulcrumSec exploited an unpatched vulnerability in Lena Health’s systems, which had been publicly disclosed in early December 2024. Despite a patch being available, Lena Health had not applied it by the time the attack occurred in mid-to-late December. The hackers gained access to an unencrypted, public-facing S3 bucket, which contained:
- 2,134 patients’ full PHI (names, dates of birth, phone numbers, medical record numbers)
- 19,542 recorded phone calls (later clarified to be fewer than 7,500 after deduplication), many with full transcriptions
- 68 hospital discharge documents with highly sensitive details, including prescriptions for controlled substances, post-surgical care instructions, and intimate medical conditions
- API keys, staff login credentials, and patient phone numbers linked to elderly and vulnerable individuals
Hackers’ Motives and Response from Lena Health
FulcrumSec claimed their attack was part of a broader campaign targeting "AI-driven SaaS startups" they accused of poor security practices. They contacted Lena Health on January 10, 2025, but the company initially failed to respond. After being provided with proof of the breach, Lena Health acknowledged the issue but ceased communication before taking further action.
The hackers later released redacted samples of the stolen data on a dedicated webpage, though they have not yet dumped the full dataset. Notably, some patients may have been unaware they were interacting with an AI system, as call recordings included personal details about living situations and medical needs.
Regulatory and Legal Implications
As a HIPAA business associate for Houston Methodist, Lena Health’s breach raises serious compliance concerns. The exposed data includes HIPAA-protected information, such as medical conditions, prescriptions, and doctor-patient communications. Neither Lena Health nor Houston Methodist has publicly responded to requests for comment as of this report.
The incident follows another major healthcare breach disclosed the same week, where Serviceaide, an AI healthcare software provider, exposed the data of 483,000 patients at Catholic Health in Buffalo, New York, due to an unsecured database. That breach, discovered in May 2025, has already resulted in six federal class-action lawsuits.
Houston Methodist cybersecurity rating report: https://www.rankiteo.com/company/houston-methodist
Lena Health cybersecurity rating report: https://www.rankiteo.com/company/lenahealth
"id": "HOULEN1769632931",
"linkid": "houston-methodist, lenahealth",
"type": "Breach",
"date": "1/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2,134 patients',
'industry': 'Healthcare',
'location': 'Houston, Texas',
'name': 'Lena Health',
'type': 'AI-powered care coordination platform'},
{'customers_affected': '2,134 patients',
'industry': 'Healthcare',
'location': 'Houston, Texas',
'name': 'Houston Methodist',
'type': 'Hospital'}],
'attack_vector': 'Unpatched vulnerability in public-facing S3 bucket',
'data_breach': {'data_encryption': 'No (unencrypted S3 bucket)',
'data_exfiltration': 'Yes',
'file_types_exposed': ['Audio recordings',
'Text transcriptions',
'PDF/medical documents'],
'number_of_records_exposed': '2,134 patients, 7,500+ recorded '
'phone calls, 68 hospital '
'discharge documents',
'personally_identifiable_information': 'Names, dates of '
'birth, phone numbers, '
'medical record '
'numbers',
'sensitivity_of_data': 'High (medical conditions, '
'prescriptions, doctor-patient '
'communications, intimate medical '
'details)',
'type_of_data_compromised': ['Protected health information '
'(PHI)',
'Recorded phone calls',
'Medical documents',
'API keys',
'Staff login credentials']},
'date_detected': '2025-06-01',
'date_publicly_disclosed': '2025-06-01',
'description': 'On June 1, 2025, cybersecurity researchers uncovered a '
'significant data breach at Lena Health, an AI-powered care '
'coordination platform based in Houston, Texas. The breach, '
'attributed to the hacking group FulcrumSec, exposed the '
'protected health information (PHI) of over 2,100 patients, '
'primarily from Houston Methodist, along with thousands of '
'recorded phone calls and sensitive medical documents.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': 'Protected health information (PHI), recorded '
'phone calls, medical documents, API keys, '
'staff login credentials',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential HIPAA violations, federal '
'class-action lawsuits',
'systems_affected': 'Public-facing S3 bucket, AI care coordination '
'platform'},
'initial_access_broker': {'entry_point': 'Unpatched vulnerability in '
'public-facing S3 bucket'},
'investigation_status': 'Ongoing',
'motivation': 'Targeting AI-driven SaaS startups with poor security practices',
'post_incident_analysis': {'root_causes': 'Unpatched vulnerability, '
'unencrypted public-facing S3 '
'bucket, delayed response to breach '
'notification'},
'references': [{'date_accessed': '2025-06-01',
'source': 'Cybersecurity research report'}],
'regulatory_compliance': {'legal_actions': 'Potential federal class-action '
'lawsuits',
'regulations_violated': ['HIPAA']},
'response': {'communication_strategy': 'Initial acknowledgment, then ceased '
'communication'},
'threat_actor': 'FulcrumSec',
'title': 'AI Healthcare Platform Lena Health Hit by Major Data Breach '
'Exposing Sensitive Patient Data',
'type': 'Data Breach',
'vulnerability_exploited': 'Unpatched vulnerability disclosed in December '
'2024'}