- The security researcher finds that he finds a huge database not protected by online raisins
- It contained personal identification information, as well as medical data
- The database was blocked since it was blocked
ESHYFT, a technology platform designed for nurses throughout the United States, maintained a database without online protection, exposing thousands of confidential records to anyone who knew where to look for.
Security researcher Jeremiah Fowler found the database, which contained 86,341 records, and that exceeded 100 GB. The file contained all types of confidential data, from names and ID to medical reports and more.
ESHYFT is a technological platform that connects nurses (CNA, LPN and RN) with DIEM shifts in long -term care facilities in the United States, offering flexible work opportunities for health professionals and a reliable personnel solution for facilities.
Address the problem
It is not known for how long the database remained unprotected, or if any threat actor agreed before Fowler. Nor do we know if ESHYFT maintains the database itself, or if it subcontracted it to a third party.
“In a limited sampling of the exposed documents, I saw records that included profile or facial images of users, .CSV files with monthly records of work programs, professional certificates, work allocation agreements, CVS and curriculums containing additional PIIs,” said Fowler, pointing out that he informed both of them Website planetAnd later – ESHYFT.
“A single spreadsheet document contained more than 800,000 entries that detailed the internal IDs of the nurse, the name of the installation, the time and date of the shifts, the hours worked and more.”
“I also saw what seemed to be medical documents uploaded to the application. These files were potentially charged as proof of why individual nurses lost shifts or took a disease license. These medical documents included medical reports containing information about the diagnosis, recipes or treatments that could fall under the scope of Hipaa regulations. “
After Fowler reported his findings to ESHYFT, the firm blocked the database a month later, telling him that “he was actively looking for this and working on a solution.”