USA: Incorrectly configured server exposes sensitive data of nursing staff
Incorrectly configured cloud storage enabled access to the data of tens of thousands of nursing staff using an app for shift scheduling.
(Image: PopTika/Shutterstock.com)
Users of the app from Eshyft, an IT company from New Jersey, have been affected by a data leak of more than 100 GB. Sensitive data of more than 86,000 nurses and other medical staff from 29 US states was openly accessible for months on an incorrectly configured Amazon Web Services (AWS) cloud storage. IT security researcher Jeremiah Fowler from Cybernews drew the company's attention to the security vulnerability.
According to his report, Fowler discovered the open database on January 4 and reported it to Eshyft two days later. Although the company then announced measures, the memory containing the company's information remained publicly accessible for over a month. The gap was only closed on March 5.
App for filling shifts
The app enables the short-term filling of open shifts in hospitals and other long-term care facilities with certified nursing staff and nurses. It has been downloaded more than 50,000 times from the Google Play Store and is also available in the Apple App Store.
Videos by heise
(Image:Â Fowler)
Eshyft collects a lot of sensitive information about healthcare workers: the 86,341 records exposed included profile pictures, identification documents, driver's licenses, social security cards, time sheets, employment contracts, resumes and medical records.
Criminals could use the information to blackmail those affected or commit identity theft, among other things. It is still unclear how long the vulnerability was open before it was discovered. Eshyft has not yet responded to inquiries from The Register.
(mack)
