Ethical Hacking News
A vulnerable ecosystem was left exposed when ESHYFT's S3 bucket contained over 86K+ medical records for months before it was closed on March 5. A single spreadsheet had more than 800K entries, highlighting the importance of proper security measures in digital storage.
The ESHYFT case highlights the vulnerability of sensitive information in digital storage. A healthcare company's mobile app storing over 86,000 records of medical data was left exposed and accessible to the public for months. The exposed data included user profile pictures, ID documents, medical diagnoses, and prescription records. Proper security measures, such as encryption and access controls, are crucial in protecting sensitive data. A single spreadsheet containing over 800,000 entries was found with unencrypted and publicly accessible data.
The healthcare industry is one of the most sensitive and heavily regulated sectors, requiring utmost protection for patient data. However, even the most well-intentioned and secure systems can fall prey to human error or design flaws, leading to catastrophic consequences. The case of ESHYFT, a New Jersey-based company that operates as "an Uber for nurses," serves as a stark reminder of the vulnerability of sensitive information in digital storage.
The company's mobile app, which has been downloaded over 50,000 times from the Google Play Store and is also available via Apple's App Store, connects certified nursing assistants (CNAs), licensed practical nurses (LPNs), and registered nurses (RNs) with per-diem shifts at hospitals and other long-term care facilities. The app allows nursing staff to find open shifts in their area, see what the facility pays, and even submit timecards and get paid through the app.
However, this valuable service comes with a steep price tag: sensitive information that can be exploited by cybercriminals. In January 2025, cybersecurity researcher Jeremiah Fowler discovered an exposed S3 bucket belonging to ESHYFT, containing over 86,000 records of medical records, facial images, ID documents, and more. The database was left accessible to the public for months before it was closed on March 5.
The exposed data includes user profile pictures, scanned driver's licenses, social security cards, monthly work schedule logs, professional certificates, work assignment agreements, CVs, resumes, medical diagnoses, prescription records, and disability insurance claims. Many of these documents were labeled with helpful information, such as "timecards," "user addresses," and "disabled users," making it easier for potential identity thieves or scammers to exploit the sensitive information.
The sheer volume of exposed data is staggering, with Fowler discovering a single spreadsheet containing over 800,000 entries, each including a nurse's ID, facility name, time, date of shifts, and hours worked. The fact that this data was left unencrypted and publicly accessible for an extended period poses significant risks to the healthcare workers and facilities that employed them.
Fowler's research highlights the importance of proper security measures in digital storage. "Most applications and user dashboard areas of a service only provide a portal with a front-facing login or admin area," Fowler said. "Once the user provides their credentials, they can upload or access documents. These records and documents need to be stored somewhere and then delivered to the user, here is where the problem arises."
The problem occurs when these individual uploaded files and database records are left visible for all, making them easily accessible via an app or web portal. Cloud storage should be configured so that data is only accessible to authorized users on a per-user basis.
Fowler emphasized the importance of encrypting sensitive documents and implementing time-limited access tokens. "This requires a substantial amount of work from the coding and development aspect, but it really is the only way to protect sensitive data delivered to the end users and stored in a central location," Fowler said.
The ESHYFT case serves as a wake-up call for companies that provide sensitive services. Healthcare is a highly targeted sector for cybercrime, and every second counts when there is a data exposure. Every additional day that individual files or an entire storage network are exposed increases the potential risks of that information being exploited.
In conclusion, the ESHYFT case highlights the importance of proper security measures in digital storage, particularly in sensitive industries like healthcare. Companies must prioritize encrypting sensitive documents and implementing robust access controls to protect their users' data. The consequences of neglecting these measures can be catastrophic, as seen in the exposed S3 bucket incident.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Vulnerable-Ecosystem-How-a-Healthcare-Apps-S3-Bucket-Exposed-86K-Medical-Records-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/03/11/uber_for_nurses_exposes_86k/
https://cyber.vumetric.com/security-news/2025/03/11/uber-for-nurses-exposes-86k-medical-records-pii-in-open-s3-bucket-for-months/
https://news.ycombinator.com/item?id=43335180
Published: Tue Mar 11 15:26:37 2025 by llama3.2 3B Q4_K_M
