![iFixit Tears Down New M4 MacBook Air [Video]](https://www.iclarified.com/images/news/96717/96717/96717-640.jpg)
![Apple Officially Announces Return of 'Ted Lasso' for Fourth Season [Video]](https://www.iclarified.com/images/news/96710/96710/96710-640.jpg)
![[Update: Fix] Chromecast (2nd gen) and Audio can’t Cast in ‘Untrusted’ outage](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2019/08/chromecast_audio_1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
![If I use an API licensed with apache 2.0 in my project, what license do I use and what should I be aware of? [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
.jpg?#)
.jpg?#)
Thousands of healthcare records exposed online, including private patient information
ESHYFT was keeping a large database without a password, containing all sorts of sensitive data.
- Security researcher finds finds huge non-password-protected database online
- It contained personally identifiable information, as well as medical data
- The database was since locked down
ESHYFT, a technology platform designed for nurses across the United States, reportedly kept an unprotected database online, exposing thousands of sensitive records to anyone who knew where to look.
Security researcher Jeremiah Fowler found the database, which contained 86,341 records, and that it exceeded 100 GB in size. The archive contained all sorts of sensitive data, from names and IDs, to medical reports, and more.
ESHYFT is a technology platform that connects nurses (CNAs, LPNs, and RNs) with per diem shifts at long-term care facilities across the US, offering flexible work opportunities for healthcare professionals and a reliable staffing solution for facilities.
Addressing the problem
It is not known for how long the database remained unprotected, or if any threat actors accessed it before Fowler did. We also don’t know if ESHYFT maintains the database itself, or if it outsourced it to a third party.
“In a limited sampling of the exposed documents, I saw records that included profile or facial images of users, .csv files with monthly work schedule logs, professional certificates, work assignment agreements, CVs and resumes that contained additional PII,” Fowler explained, noting he reported it to both Website Planet, and later - ESHYFT.
“One single spreadsheet document contained 800,000+ entries that detailed the nurse’s internal IDs, facility name, time and date of shifts, hours worked, and more.”
“I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.”
After Fowler reported his findings to ESHYFT, the firm locked the database down a month later, telling him it was, "actively looking into this and working on a solution”.
You might also like
- Massive online data breach sees 2.7 billion records leaked - here's what we know
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
