Cybersecurity scientists this 7 days launched a report detailing a leak that appeared to expose the data of thousands of clinical workers, nurses and caregivers.
In accordance to the report, released by Safety Discovery Co-Founder Jeremiah Fowler and Web-site World, the non-password guarded database appeared to be connected to Gale Health care Answers, which connects amenities with locally available nurses and caregivers.
“These worker profiles exposed names, cell phone, electronic mail, home addresses. The accounts also contained one-way links to images of the personnel, and documents that indicated credentials, and tax paperwork (SSN / Social Safety Selection),” wrote Fowler in the report.
Gale did not answer to Healthcare IT Information‘ requests for remark by press time.
WHY IT Issues
As outlined by Fowler, the 170,239 data ended up contained in two folders, comprising 139,000 documents of contacts and 31,500 of staff members.
The exposed knowledge integrated:
- Inner records which includes 1st and very last names, cell phone, e-mails, property addresses, employ dates, implement dates, skill level and in some cases specific notes of incidents and terminations
- Passwords in basic text, with usernames appearing to be the user’s name or electronic mail address that was also outlined in the account
- Inbound links to AWS storage accounts that contained photos of the employee and documents named “SSN Card” or “credentials”
Fowler also noted that photographs linked in accounts had been named in a format that contained the employees’ complete identify and a quantity titled “SSN” in the file name, these kinds of as “Jane_Doe-CNA-SSN-123456789.jpeg.”
He drew notice to the unusual nature of these types of a labeling system, expressing that the file theoretically would not have to be opened to expose sensitive information and facts.
“This exposed info could be applied for a vary of crimes which includes identity theft, frauds, and extortion,” wrote Fowler. “With email addresses cyber criminals could launch a specific phishing campaign or social engineering attack making use of insider info to set up belief.”
He pointed to the probable risk of the uncovered title, Social Stability Quantity and household deal with details from an identity theft perspective, in addition to passwords (which are normally reused).
“It is unclear how long the database was exposed and who else may well have obtained obtain to the publicly available data. It is also unclear if medical personnel or authorities have been notified of the probable exposure as necessary by