A misconfigured database exposed 108.8 GB of sensitive data, including information on over 86,000 healthcare workers affiliated with ESHYFT, a New Jersey-based HealthTech company operating across 29 states. ESHYFT also provides a mobile platform that connects healthcare facilities with qualified nursing professionals.
The exposed database was not password-protected or encrypted and contained a treasure trove of personally identifiable information (PII) including SSNs, scans of identification documents, salary details, work history, and more.
The database was discovered by cybersecurity researcher Jeremiah Fowler who shared their report with Hackread.com revealing that the exposed data included profile images, facial images, professional certificates, work assignment agreements, CVs, and resumes.
Additionally, one spreadsheet document contained over 800,000 entries detailing nurses’ internal IDs, facility names, time and date of shifts, hours worked, and more. What’s worse, medical documents, including medical reports containing information on diagnoses, prescriptions, or treatments, were also exposed.
The exposure of such sensitive data could potentially fall under HIPAA regulations. It can also expose vulnerable users to online and physical risks, including identity theft, employment fraud, financial fraud, and targeted phishing campaigns.
The good news is that Fowler immediately notified ESHYFT. The bad news is that it took the company over a month after being alerted to restrict public access to the database. However, according to Fowler, the exposed database was not owned or directly managed by ESHYFT.
It remains unclear whether a third-party contractor was responsible for its management. Additionally, the duration of the exposure and whether unauthorized parties accessed the data are unknown.
Nevertheless, cybercriminals could use the exposed data to commit crimes in the victims’ names or deceive them into revealing additional personal or financial information. Therefore, HealthTech must implement proper cybersecurity measures including:
- Implement mandatory encryption protocols for sensitive data.
- Use multi-factor authentication to prevent unauthorized access.
- Conduct regular security audits to identify potential vulnerabilities.
- Segregate sensitive data and assign expiration dates for data that is no longer in use.
- Have a data breach response plan in place and a dedicated communication channel for reporting potential security incidents.
- Provide timely responsible disclosure notices to affected individuals and educate them on how to recognize phishing attempts.
