A health technology firm in New Jersey encountered a breach of its database online, resulting in the exposure of sensitive data. Anyone could freely access the database with no need for authentication. The database associated with ESHYFT has no password protection. ESHYFT serves healthcare facilities in 29 U.S. states. It has a mobile application platform that healthcare facilities can use to connect with healthcare employees including Registered Nurses (RNs), Licensed Practical Nurses (LPNs), and Certified Nursing Assistants (CNAs). The mobile app can be downloaded from Google Play and the Apple App Store. The app has been downloaded over 50,000 times on Google Play. Nurses can use the app to find shifts that match their work schedules and medical facilities can use it to look for vetted nursing personnel to fill job vacancies.
Cybersecurity researcher Jeremiah Fowler discovered the compromised 108.8 GB database and shared about this on Website Planet. Fowler found that the database has 86,341 records that contain information such as profile/facial images, professional certificates, CVs, resumes, monthly work schedules, and work assignment contracts. One spreadsheet contained over 800,000 records of facility names,
internal IDs of nurses, hours worked, shift times and dates, and other data. Medical documents with diagnoses, treatments, and prescriptions were likewise discovered.
The database has user files kept in one folder, which suggests that less sensitive information like facial photographs was not separated from more sensitive information like medical records. In case of unauthorized access, or a lack of security, all information may become accessible. The database security should have at least included password protection, preferably HIPAA encryption, and multifactor authentication.
When Fowler discovered that ESHYFT was the probable owner, he sent a disclosure notice and got a notification about the issue being investigated. Fowler could not ascertain whether the database was owned and maintained by a third-party vendor or ESHYFT. It cannot be certain as well if unauthorized individuals accessed the database and how long it was accessible online.
Image credits: Mer_Studio, AdobeStock
