Length of time of exposure is unknown.
Around 11GB of nurses' data was inadvertently leaked for months by an unprotected Amazon AWS S3 bucket.
According to researcher Jeremiah Fowler, the data from health tech firm ESHYFT included 86,341 records, and featured nurses' user profile photos and facial images, scanned Social Security cards and driver's licenses, professional certificates, prescription records, and disability insurance claims.
“I immediately sent a responsible disclosure notice to the company, and the database was restricted from public access over a month later,” Fowler said. “I received a response thanking me for the notification stating ‘Thank you! we’re actively looking into this and working on a solution’.
“It is not known if the database was owned and managed by ESHYFT directly or via a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.”
ESHYFT also had a spreadsheet with over 800,000 entries containing nurses' IDs, facility names, shift times and dates, and working hours exposed, said Fowler, who also noted that the growing prevalence of unintentional compromise stemming from open databases should prompt the immediate encryption of sensitive documents that could be later decrypted using a time-limited access token.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
