1. Forum
  2. FidoNet
  3. CONSPRCY

  • Thousands of healthcare r

    From Mike Powell@1:2320/105 to All on Friday, March 14, 2025 18:31:00
    Thousands of healthcare records exposed online, including private patient information

    Date:
    Fri, 14 Mar 2025 19:28:00 +0000

    Description:
    ESHYFT was keeping a large database without a password, containing all sorts
    of sensitive data.

    FULL STORY

    ESHYFT, a technology platform designed for nurses across the United States, reportedly kept an unprotected database online, exposing thousands of
    sensitive records to anyone who knew where to look.

    Security researcher Jeremiah Fowler found the database, which contained
    86,341 records, and that it exceeded 100 GB in size. The archive contained
    all sorts of sensitive data, from names and IDs, to medical reports, and
    more.

    ESHYFT is a technology platform that connects nurses (CNAs, LPNs, and RNs)
    with per diem shifts at long-term care facilities across the US, offering flexible work opportunities for healthcare professionals and a reliable staffing solution for facilities.

    Addressing the problem

    It is not known for how long the database remained unprotected, or if any threat actors accessed it before Fowler did. We also dont know if ESHYFT maintains the database itself, or if it outsourced it to a third party.

    In a limited sampling of the exposed documents, I saw records that included profile or facial images of users, .csv files with monthly work schedule
    logs, professional certificates, work assignment agreements, CVs and resumes that contained additional PII, Fowler explained, noting he reported it to
    both Website Planet , and later - ESHYFT.

    One single spreadsheet document contained 800,000+ entries that detailed the nurses internal IDs, facility name, time and date of shifts, hours worked,
    and more.

    I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.

    After Fowler reported his findings to ESHYFT, the firm locked the database
    down a month later, telling him it was, "actively looking into this and
    working on a solution.

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/thousands-of-healthcare-records-exposed -online-including-private-patient-information

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)