[Ed. note: This piece has been updated with a statement from Gale Healthcare Solutions.]
Cybersecurity researchers this week released a report detailing a leak that appeared to expose the data of thousands of medical workers, nurses and caregivers.
According to the report, released by Security Discovery cofounder Jeremiah Fowler and Website Planet, the database, which was not password-protected, seemed to be linked to Gale Healthcare Solutions, which connects facilities with locally available nurses and caregivers.
“These employee profiles exposed names, phone, email, home addresses. The accounts also contained links to images of the employees, and files that indicated credentials, and tax documents (SSN/Social Security Number),” wrote Fowler in the report.
In a statement sent to Healthcare IT News after press time, Gale representatives said the database was a temporary environment created for an internal system test.
“When the researcher notified us of a potential vulnerability in September, the environment had already been deactivated and secured,” said representatives. “There is no evidence there was any further unauthorized access beyond the researcher or that any personal data has been, or will be, misused.”
WHY IT MATTERS
As outlined by Fowler, the 170,239 records were contained in two folders, comprising 139,000 records of contacts and 31,500 of employees.
The exposed data included:
- Internal records including first and last names, phone, emails, home addresses, hire dates, apply dates, skill level and in some cases detailed notes of incidents and terminations.
- Passwords in plain text, with usernames appearing to be the user’s name or email address that was also listed in the account.
- Links to AWS storage accounts that contained photos of the employee and files named “SSN Card” or “credentials.”
Fowler also said that images linked in accounts were named in a format that contained the employees’ full name and a number titled “SSN” in the file name, such as “Jane_Doe-CNA-SSN-123456789.jpeg.”
He drew attention to the uncommon nature of such a labeling system, saying that the file theoretically wouldn’t have to be opened to expose sensitive information.
“This exposed data could be used for a range of crimes including identity theft, scams, and extortion,” wrote Fowler. “With email addresses cyber criminals could launch a targeted phishing campaign or social engineering attack using insider information to establish trust.”
Gale representatives disputed these particular assertions.
“Contrary to the report findings, Social Security Numbers were not used in the file names, nor disclosed. Rather, file names featured auto-generated sequential ten-digit Unix timestamps that were used in the testing environment,” they said.
“Dates of birth were also not disclosed, and to our knowledge, the accounts did not contain active links to images of tax documents or other credentials,” the representives added.
Fowler pointed to the potential danger of the exposed information from an identity theft perspective, in addition to passwords – which are often reused.
“It is unclear how long the database was exposed and who else may have gained access to the publicly accessible records. It is also unclear if medical workers or authorities were notified of the potential exposure as required by Florida Information Protection Act of 2014 (FIPA),” Flower wrote. Gale is headquartered in Tampa.
Fowler said that upon discovery, his team immediately sent a disclosure notice to Gale Healthcare Solutions. Public access was closed the same day.
“We are not implying any wrongdoing by Gale Healthcare Solutions, their partners, or users and we are highlighting our discovery to raise data protection awareness and promote cybersecurity best practices,” he said.
“Data security and privacy is a core commitment for our company. We take that commitment very seriously, and continue to take strides to protect all clinician data that we hold,” said Gale representatives in a statement.
THE LARGER TREND
Fowler has drawn attention to similar apparently vulnerable databases in the past.
This summer, he and Website Planet flagged a database containing more than one billion CVS Health records that had not been password protected.
In August, a research team from UpGuard also drew attention to a data leak from Microsoft Power Apps containing 38 million records.
ON THE RECORD
“Any service that allows hospitals to fill their shifts is extremely important and valuable to sick patients. It is unfortunate that this incident may have exposed the data of frontline workers during an already difficult time,” wrote Fowler.