A significant data breach involving sensitive healthcare worker information has been discovered, exposing over 86,000 records belonging to ESHYFT, a New Jersey-based HealthTech company.
Cybersecurity researcher Jeremiah Fowler identified an unprotected AWS S3 storage bucket containing approximately 108.8 GB of data that lacked password protection or encryption, leaving private healthcare worker information publicly accessible.
The misconfigured cloud storage contained highly sensitive personally identifiable information (PII), including profile images, work schedules, professional certificates, and medical documents potentially protected under HIPAA regulations, creating substantial risk for affected healthcare professionals across 29 states.
Sensitive Data Exposed
The unsecured AWS S3 bucket contained 86,341 records, with the majority of documents stored inside a folder labeled “App”.
During his investigation, Fowler discovered multiple file types containing sensitive information, including facial images of users, CSV files with monthly work schedule logs, professional certificates, work assignment agreements, and CVs containing additional PII.
One single spreadsheet document contained over 800,000 entries detailing nurses’ internal IDs, facility names, shift dates and times, and hours worked, representing a comprehensive dataset of healthcare worker activities.
Perhaps most concerning was the presence of medical documents apparently uploaded as proof for missed shifts or sick leave, which contained information about diagnoses, prescriptions, and treatments that could potentially fall under HIPAA protection.
Upon discovering the exposed S3 bucket, Fowler immediately sent a responsible disclosure notice to ESHYFT following standard security researcher protocols.
Despite the critical nature of the exposed data, public access to the database was only restricted more than a month after initial notification.
The company acknowledged receipt of the notification with a brief statement: “Thank you! we’re actively looking into this and working on a solution”.
It remains unclear whether the misconfigured AWS S3 bucket was directly managed by ESHYFT or through a third-party contractor, and no information is available regarding how long the data was exposed before discovery or whether unauthorized parties may have accessed it during the exposure period.
ESHYFT operates a mobile platform designed to connect healthcare facilities with qualified nursing professionals including Certified Nursing Assistants (CNAs), Licensed Practical Nurses (LPNs), and Registered Nurses (RNs).
The application allows nurses to select shifts that fit their schedules while providing healthcare facilities with access to vetted W-2 nursing staff.
Available in 29 U.S. states including California, Florida, Georgia, and New Jersey, the platform represents a significant technological solution to healthcare staffing challenges.
The mobile application is available on both Apple’s App Store and Google Play Store, where it has been downloaded more than 50,000 times, indicating its widespread use among healthcare professionals.
This data exposure occurs against a backdrop of increasing healthcare staffing challenges, with the Health Resources & Services Administration projecting a 10% nationwide shortage of registered nurses by 2027.
As healthcare organizations increasingly rely on technology platforms to address staffing deficiencies, the integration of offline healthcare jobs with online technology creates new security vulnerabilities that must be addressed.
The exposure of healthcare worker data represents a significant risk not only to individual privacy but potentially to critical healthcare infrastructure, as cybercriminals have routinely targeted hospitals and medical facilities in recent years.
To prevent similar AWS S3 bucket misconfigurations, health tech companies should implement strict access controls using the principle of least privilege, enable default encryption for all stored data, and utilize AWS security features such as Amazon Macie for sensitive data detection.
Security experts recommend mandatory encryption protocols for sensitive data and regular security audits to identify potential vulnerabilities in cloud infrastructure.
The practice of segregating data based on sensitivity levels is particularly important—as noted in this case, user profile images and medical documents were stored in the same folder despite vastly different sensitivity classifications.
Multi-factor authentication (MFA) should be implemented for any application where users access sensitive information, and organizations should establish clear data breach response plans with dedicated communication channels for reporting security incidents.
The exposure of 86,000+ healthcare staff records serves as a reminder that even as technology helps address critical healthcare staffing shortages, it simultaneously introduces new security challenges that require vigilant attention and proactive protection measures.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post 86,000+ Healthcare Staff Records Exposed from Misconfigured AWS S3 Bucket appeared first on Cyber Security News.
