Ethical Hacking News
A massive data breach at ESHYFT has exposed 86,341 records containing sensitive information on registered nurses (RNs), licensed practical nurses (LPNs), and certified nursing assistants (CNAs). The breach involved a non-password-protected S3 bucket left unencrypted and publicly accessible for months. Cybersecurity experts are warning about the potential risks of this data being exploited by malicious actors, emphasizing the need for robust cybersecurity measures to protect sensitive healthcare information.
ESHYFT, a New Jersey-based company, suffered a massive data breach exposing 86,341 records containing sensitive information on healthcare professionals. The breach was caused by leaving the data unencrypted and publicly accessible in a non-password-protected S3 bucket for months. The exposed data included medical records, facial images, ID documents, and social security cards. The delay in addressing the breach raised concerns about potential malicious exploitation of the exposed information. The investigation highlighted the importance of robust cybersecurity measures, including encryption and access controls, to protect sensitive data.
In a shocking revelation that has left cybersecurity experts and healthcare professionals reeling, an investigation by Jeremiah Fowler has uncovered a massive data breach at ESHYFT, a New Jersey-based company that claims to be like an "Uber for nurses." The breach involved the exposure of 86,341 records containing sensitive information on registered nurses (RNs), licensed practical nurses (LPNs), and certified nursing assistants (CNAs) in a non-password-protected S3 bucket.
The data, which was left unencrypted and publicly accessible for months, included users' medical records, facial images, ID documents, scanned driver's licenses, social security cards, and more. The database contained 108.8 GB of data, with each file labeled with metadata that made it easily identifiable as belonging to ESHYFT and the individuals associated with it.
The breach was discovered by Fowler, a cybersecurity researcher who has been tracking data breaches for years. He spotted the S3 bucket on January 4 and notified ESHYFT immediately, but the company did not take action until over two months later, when the bucket was finally closed to public access. The delay in addressing the breach raised concerns about the potential for malicious actors to exploit the exposed information.
"This is pretty crazy knowing healthcare is a highly targeted sector for cybercrime," Fowler said in an interview. "Obviously, the amount of time is shocking to say the least. When there is a data exposure, every second counts and every additional day that individual files or an entire storage network are exposed, it greatly increases the potential risks of that information being exploited."
Fowler's investigation highlighted a common mistake made by many companies: leaving sensitive data unencrypted and publicly accessible. The S3 bucket in question was not properly secured, with no password protection or encryption to prevent unauthorized access.
"The service they provide is actually very valuable and fills the gaps that hospitals or healthcare providers have in their staffing and manpower needs," Fowler said. "ESHYFT provides a much-needed service, it is just unfortunate that this data was publicly exposed and for such a long period of time."
The breach has raised concerns about the security of ESHYFT's system and the potential risks to its users' sensitive information. It also highlights the importance of robust cybersecurity measures, including encryption and access controls, to protect sensitive data.
"The right way to secure the info would be to encrypt the sensitive docs in the database, and then decrypt them to the user with a time-limited access token," Fowler said. "Once the token expires, the file is no longer accessible."
In conclusion, the Great Healthcare Data Heist exposes the vulnerabilities of companies that handle sensitive healthcare information. The breach highlights the importance of robust cybersecurity measures, including encryption and access controls, to protect sensitive data.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Great-Healthcare-Data-Heist-How-a-Non-Password-Protected-S3-Bucket-Exposed-86341-Records-of-Nurses-Medical-Information-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/03/11/uber_for_nurses_exposes_86k/
https://www.msn.com/en-us/health/other/uber-for-nurses-exposes-86k-medical-records-pii-in-open-s3-bucket-for-months/ar-AA1AHHW6
https://news.ycombinator.com/item?id=43335180
Published: Tue Mar 11 13:46:43 2025 by llama3.2 3B Q4_K_M
