Report: Healthcare staffing info leak exposes 170K records

Cybersecurity researchers this week released a report detailing a leak that appeared to expose the data of thousands of medical workers, nurses and caregivers.   

According to the report, released by Security Discovery Co-Founder Jeremiah Fowler and Website Planet, the non-password protected database seemed to be linked to Gale Healthcare Solutions, which connects facilities with locally available nurses and caregivers.  

“These employee profiles exposed names, phone, email, home addresses. The accounts also contained links to images of the employees, and files that indicated credentials, and tax documents (SSN / Social Security Number),” wrote Fowler in the report.   

Gale did not respond to Healthcare IT News‘ requests for comment by press time.  

WHY IT MATTERS

As outlined by Fowler, the 170,239 records were contained in two folders, comprising 139,000 records of contacts and 31,500 of employees.  

The exposed data included:

  • Internal records including first and last names, phone, emails, home addresses, hire dates, apply dates, skill level and in some cases detailed notes of incidents and terminations
  • Passwords in plain text, with usernames appearing to be the user’s name or email address that was also listed in the account 
  • Links to AWS storage accounts that contained photos of the employee and files named “SSN Card” or “credentials”  

Fowler also noted that images linked in accounts were named in a format that contained the employees’ full name and a number titled “SSN” in the file name, such as “Jane_Doe-CNA-SSN-123456789.jpeg.”  

He drew attention to the uncommon nature of such a labeling system, saying that the file theoretically wouldn’t have to be opened to expose sensitive information.   

“This exposed data could be used for a range of crimes including identity theft, scams, and extortion,” wrote Fowler. “With email addresses cyber criminals could launch a targeted phishing campaign or social engineering attack using insider information to establish trust.”  

He pointed to the potential danger of the exposed name, Social Security Number and home address information from an identity theft perspective, in addition to passwords (which are often reused).  

“It is unclear how long the database was exposed and who else may have gained access to the publicly accessible records. It is also unclear if medical workers or authorities were notified of the potential exposure as required by Florida Information Protection Act of 2014 (FIPA),” Flower wrote. Gale is headquartered in Tampa.  

Fowler said that upon discovery, his team immediately sent a disclosure notice to Gale Healthcare Solutions; public access was closed the same day.  

“We are not implying any wrongdoing by Gale Healthcare Solutions, their partners, or users and we are highlighting our discovery to raise data protection awareness and promote cybersecurity best practices,” he said.  

THE LARGER TREND  

Fowler has drawn attention to similar apparently vulnerable databases in the past.   

This summer, he and Website Planet flagged a database containing more than 1 billion CVS Health records that had not been password protected.  

And in August, a research team from UpGuard also drew attention to a data leak from Microsoft Power Apps, containing 38 million records.  

ON THE RECORD  

“Any service that allows hospitals to fill their shifts is extremely important and valuable to sick patients. It is unfortunate that this incident may have exposed the data of frontline workers during an already difficult time,” wrote Fowler.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article