Mr Viral
Exclusive More than 86,000 records containing nurses’ medical records, facial images, ID documents and more sensitive info linked to health tech company ESHYFT was left sitting in a wide-open S3 bucket for months — or possibly even longer — before it was closed it last week.
Cybersecurity researcher Jeremiah Fowler spotted the non-password-protected, unencrypted database on January 4 and two days later reported it to ESHYFT, a New-Jersey-based company that operates in 29 states and bills itself as being “like an Uber for nurses.”Â
He said both the name of the database and the documents inside it “indicated that the records belonged to ESHYFT” and he immediately notified the outfit, which he said responded to thank him and say that it was taking action.
But even after being notified by Fowler about the data disaster waiting to happen, the S3 bucket containing ESHYFT info was not closed from public access until over a month later. The bucket held 108.8 GB and contained 86,341 records. As of March 5, it is no longer open to the public.
“This is pretty crazy knowing healthcare is a highly targeted sector for cybercrime,” Fowler told The Register. “Obviously, the amount of time is shocking to say the least. When there is a data exposure, every second counts and every additional day that individual files or an entire storage network are exposed, it greatly increases the potential risks of that information being exploited.”
When there is a data exposure, every second counts and every additional day that individual files or an entire storage network are exposed, it greatly increases the potential risks of that information being exploited
The company’s mobile app, which has been downloaded more than 50,000 times from the Google Play Store and is also available via Apple’s App Store, connects certified nursing assistants (CNAs), licensed practical nurses (LPNs), and registered nurses (RNs) with per-diem shifts at hospitals and other long-term care facilities. It allows nursing staff to find open shifts in their area, see what the facility pays, and even submit timecards and get paid through the app.Â
Needless to say: it collects a ton of sensitive information on healthcare workers at a time when hospitals are regularly victimized by ransomware crews and other cybercriminals looking to steal people’s personal and health data. This valuable info can then be used to extort healthcare facilities into paying massive sums to prevent the files from being leaked — and subsequent class-action lawsuits that are sure to follow.
Fowler scrolled through a limited sample of the 86,341 exposed records, and says these included user profile pictures and facial images. Some included lanyards showing medical IDs and other credentials too. The database also contained nurses’ scanned driver’s licenses and social security cards, CSV files with monthly work schedule logs, professional certificates, work assignment agreements, CVs and resumes, medical diagnoses, prescription records, and disability insurance claims.
Plus, many of these documents were oh-so-helpfully labeled “timecards,” “user addresses,” “disabled users” and other user-related info that would be useful to would-be identity thieves or scammers looking to commit employment or financial fraud, which puts both the healthcare worker and facility that employs them in danger of targeted cyberattacks and violating privacy regulations, among other digital risks.
According to Fowler’s research published today, one single spreadsheet contained more than 800,000 entries with a nurse’s ID, facility name where they worked, time and date of shifts and hours worked.
Two months later…
Fowler says he doesn’t know if ESHYFT or a third-party contractor owns and manages the database. Fowler also isn’t sure how long it was left open before he spotted it — or if anyone with evil intentions found and misused the sensitive information stored inside before it was locked up.
The Register reached out to ESHYFT multiple times with these and other questions and did not receive a response.Â
“My opinion on this exposure is: Most applications and user dashboard areas of a service only provide a portal with a front facing login or admin area,” Fowler said. “Once the user provides their credentials they can upload or access documents. These records and documents need to be stored somewhere and then be delivered to the user, here is where the problem arises.”
The problem occurs when individual files are set to visible (this is so they can be delivered via an app or web portal), so that name, URL, or other database identifiers can still be discerned.
And if the database is set to open, then all of these documents are at risk for exposure.
However, “if the application is dependent on these documents, and if they are all restricted, then the service doesn’t work properly,” Fowler told us. “I am seeing this way more often these days across a range of industries.”
Ransomware’s ripple effect felt across ERs as patient care suffers
Rhysida pwns two US healthcare orgs, extracts over 300K patients’ data
The NHS security culture problem is a crisis years in the making
Data broker leaves 600K+ sensitive files exposed online
The right way to secure the info would be to encrypt the sensitive docs in the database, and then decrypt them to the user with a time-limited access token. Once the token expires, the file is no longer accessible.Â
“This requires a substantial amount of work from the coding and development aspect, but it really is the only way to protect sensitive data delivered to the end users and stored in a central location,” Fowler said.Â
And while finding a non-password-protected database exposed on the internet isn’t a new thing for Fowler, ESHYFT is “one of my more interesting finds,” he noted.
“The service they provide is actually very valuable and fills the gaps that hospitals or healthcare providers have in their staffing and manpower needs,” Fowler added.Â
It benefits nurses and other healthcare professionals looking to pick up extra work, which presumably means fewer under-staffed hospitals and better, more immediate care for patients.Â
“In the end, hospitals that are fully staffed and nurses who are employed is a win-win and a good thing for patient care,” Fowler said. “ESHYFT provides a much-needed service, it is just unfortunate that this data was publicly exposed and for such a long period of time.” ®
GIPHY App Key not set. Please check settings