Healthcare Staff Database with 86,000 Records Exposed Online
A database owned by a New Jersey health technology company has been exposed online, allowing sensitive data to be freely accessed by anyone without the need for any authentication. The non-password-protected database was linked to ESHYFT, which operates in 29 U.S. states and offers a mobile app platform that connects healthcare facilities with healthcare workers such as Licensed Practical Nurses (LPNs), Registered Nurses (RNs), and Certified Nursing Assistants (CNAs). The app is available in the Apple App Store and on Google Play, with the latter showing the app has been downloaded more than 50,000 times. The app can be used by nurses to find shifts that fit their schedules and by healthcare facilities to find vetted nursing staff to fill vacancies.
The exposed 108.8 GB database was found by cybersecurity researcher Jeremiah Fowler, who shared his findings with Website Planet. Fowler identified 86,341 records in the database, a sample of which included profile/facial images, monthly work schedules, professional certificates, work assignment agreements, CVs, and resumes. A single spreadsheet was found that contained more than 800,000 entries that included internal IDs of nurses, facility names, shift times and dates, hours worked, and other information. Medical documents were also found that included diagnoses, prescriptions, and treatments, which Fowler presumed served as proof of medical grounds for missing shifts.
The database setup was such that user files were uploaded to a single folder, which means less sensitive data such as facial photographs were not segregated from more sensitive data such as medical documents. In the event of unauthorized access, or in this case a lack of protection, all data could be accessed. The database should have been at least password protected – and ideally encrypted – and had multifactor authentication enabled, so a password alone would not grant access.
When ESHYFT was identified as the likely owner, Fowler sent a responsible disclosure notice and received notification that the matter was being looked into. Fowler was unable to determine if the database was owned and managed by ESHYFT or a third-party vendor. It is also unclear how long the database was accessible online and if it was accessed by any unauthorized individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
