- The security researcher finds a huge database unprotected by online password
- It contained personally identifiable information, as well as medical data
- The database was from locking
ESHYFT, a technological platform designed for nurses in the United States, would have retained an unprotected online database, exhibiting thousands of files sensitive to all those who knew where to look.
Security researcher Jeremiah Fowler found the database, which contained 86,341 recordings, and that she exceeded 100 GB. The archive contained all kinds of sensitive data, names and identifiers to medical reports, etc.
ESHYFT is a technological platform that connects nurses (CNA, LPN and RNS) with permanent changes in long-term care establishments in the United States, offering flexible work possibilities for health professionals and a reliable endowment solution for facilities.
Resolve the problem
It is not known for how long the database has not remained protected, or if threat actors access it before Fowler. We also do not know if Eshyft maintains the database itself, or if it has outsourced it to a third party.
“In a limited sampling of the exhibition documents, i saw records that include profile or facial images of users, .csv files with monthly work room logs, professional certificates, work assignment agreements, cvs and resumes that contained additional pii,” Fowler explained, concept he report Website planetAnd later – Eshyft.
“A single calculation sheet document contained more than 800,000 admissions which detailed the internal identifiers of the nurse, the name of the installation, the time and date of the work quarters, the hours worked, and even more.”
“I also saw what seemed to be medical documents downloaded from the application. These files were potentially downloaded as proof for which individual nurses have missed quarters of work or have taken sick leave. These medical documents included medical reports containing information on the diagnosis, prescriptions or treatments that could potentially fall under the HIPAA regulation region. »»
After Fowler reported its results to Eshyft, the company locked the database a month later, telling it that it was, “actively examining this and working on a solution”.
