86,000+ Healthcare Staff Records Exposed Due to AWS S3 Misconfiguration

A non-password-protected database belonging to ESHYFT, a New Jersey-based HealthTech company, was recently discovered by cybersecurity researcher Jeremiah Fowler.

The database contained over 86,000 records, amounting to 108.8 GB of sensitive information. This data breach, while not attributed to intentional malice, highlights the critical need for robust cybersecurity measures in the healthcare sector.

Background of ESHYFT

ESHYFT operates a mobile app platform that connects healthcare facilities with healthcare workers across 29 U.S. states, as per a report by Website Planet.

The platform allows nurses to choose shifts that fit their schedules, providing facilities with access to vetted W-2 nursing staff.

The app is widely used, with over 50,000 downloads on the Google Play Store alone. As the healthcare industry increasingly relies on digital platforms, the importance of safeguarding user data cannot be overstated.

Nature of the Data Exposure

The exposed database included sensitive documents such as profile images, monthly work schedules, professional certificates, CVs, and resumes containing personally identifiable information (PII).

Notably, it also included medical documents uploaded by nurses as proof for missing shifts or sick leave, potentially falling under HIPAA regulations.

These documents could include diagnoses, prescriptions, or treatments, posing a significant risk if accessed improperly.

Fowler immediately notified ESHYFT upon discovering the breach. The company acknowledged the notice, stating they were working on a solution.

However, it remains unclear if the database was managed by ESHYFT directly or a third-party contractor, or how long it was exposed before being detected.

The exposure of PII, salary details, and work histories could lead to identity theft, financial fraud, or highly targeted phishing campaigns.

Scans of identification documents combined with addresses could provide cybercriminals with enough information to commit such crimes.

Additionally, the lack of data segregation and encryption makes it critical for healthtech companies to adopt proactive cybersecurity strategies.

Recommendations for HealthTech Companies

1. Implement Mandatory Encryption: Sensitive data should always be encrypted to prevent unauthorized access.
2. Regular Security Audits: Frequently auditing internal infrastructure can help identify potential vulnerabilities before they are exploited.
3. Limit Sensitive Data Storage: Data should only be stored for as long as necessary and anonymized where possible.
4. Multi-Factor Authentication (MFA): MFA should be required for applications handling sensitive information to prevent easy access even if user credentials are compromised.
5. Establish Data Breach Response Plans: Companies should have a comprehensive plan in place to handle breaches and communicate with affected parties promptly.

The exposure of healthcare staff records due to an AWS S3 misconfiguration underscores the urgent need for healthtech companies to prioritize data security.

As healthcare increasingly relies on digital platforms, safeguarding sensitive information is crucial to protecting both healthcare workers and facilities from potential risks.

Proactive measures and enhanced cybersecurity protocols are essential to mitigate such vulnerabilities and ensure the integrity of sensitive data.

In light of these findings, organizations like ESHYFT must take immediate action to secure their databases and implement robust measures to prevent future breaches.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.