A misconfigured database uncovered 108.8 GB of delicate knowledge, together with data on over 86,000 healthcare staff affiliated with ESHYFT, a New Jersey-based HealthTech firm working throughout 29 states. ESHYFT additionally supplies a cell platform that connects healthcare services with certified nursing professionals.
The uncovered database was not password-protected or encrypted and contained a treasure trove of personally identifiable data (PII) together with SSNs, scans of identification paperwork, wage particulars, work historical past, and extra.
The database was found by cybersecurity researcher Jeremiah Fowler who shared their report with Hackread.com revealing that the uncovered knowledge included profile pictures, facial pictures, skilled certificates, work task agreements, CVs, and resumes.
Moreover, one spreadsheet doc contained over 800,000 entries detailing nurses’ inside IDs, facility names, time and date of shifts, hours labored, and extra. What’s worse, medical paperwork, together with medical stories containing data on diagnoses, prescriptions, or remedies, had been additionally uncovered.
The publicity of such delicate knowledge might probably fall underneath HIPAA regulations. It may well additionally expose weak customers to on-line and bodily dangers, together with identification theft, employment fraud, monetary fraud, and focused phishing campaigns.
The excellent news is that Fowler instantly notified ESHYFT. The dangerous information is that it took the corporate over a month after being alerted to limit public entry to the database. Nevertheless, in accordance with Fowler, the uncovered database was not owned or immediately managed by ESHYFT.
It stays unclear whether or not a third-party contractor was accountable for its administration. Moreover, the period of the publicity and whether or not unauthorized events accessed the info are unknown.
Nonetheless, cybercriminals might use the uncovered knowledge to commit crimes within the victims’ names or deceive them into revealing extra private or monetary data. Subsequently, HealthTech should implement correct cybersecurity measures together with:
- Implement obligatory encryption protocols for delicate knowledge.
- Use multi-factor authentication to forestall unauthorized entry.
- Conduct common safety audits to establish potential vulnerabilities.
- Segregate delicate knowledge and assign expiration dates for knowledge that’s now not in use.
- Have an information breach response plan in place and a devoted communication channel for reporting potential safety incidents.
- Present well timed accountable disclosure notices to affected people and educate them on the best way to acknowledge phishing makes an attempt.
