TZUTC: -0500   
   MSGID: 465.consprcy@1:2320/105 2c39f450   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Thousands of healthcare records exposed online, including private patient   
   information   
      
   Date:   
   Fri, 14 Mar 2025 19:28:00 +0000   
      
   Description:   
   ESHYFT was keeping a large database without a password, containing all sorts   
   of sensitive data.   
      
   FULL STORY   
      
   ESHYFT, a technology platform designed for nurses across the United States,   
   reportedly kept an unprotected database online, exposing thousands of   
   sensitive records to anyone who knew where to look.    
      
   Security researcher Jeremiah Fowler found the database, which contained    
   86,341 records, and that it exceeded 100 GB in size. The archive contained    
   all sorts of sensitive data, from names and IDs, to medical reports, and    
   more.    
      
   ESHYFT is a technology platform that connects nurses (CNAs, LPNs, and RNs)   
   with per diem shifts at long-term care facilities across the US, offering   
   flexible work opportunities for healthcare professionals and a reliable   
   staffing solution for facilities.   
      
   Addressing the problem    
      
   It is not known for how long the database remained unprotected, or if any   
   threat actors accessed it before Fowler did. We also dont know if ESHYFT   
   maintains the database itself, or if it outsourced it to a third party.    
      
   In a limited sampling of the exposed documents, I saw records that included   
   profile or facial images of users, .csv files with monthly work schedule    
   logs, professional certificates, work assignment agreements, CVs and resumes   
   that contained additional PII, Fowler explained, noting he reported it to    
   both Website Planet , and later - ESHYFT.    
      
   One single spreadsheet document contained 800,000+ entries that detailed the   
   nurses internal IDs, facility name, time and date of shifts, hours worked,    
   and more.    
      
   I also saw what appeared to be medical documents uploaded to the app. These   
   files were potentially uploaded as proof for why individual nurses missed   
   shifts or took sick leave. These medical documents included medical reports   
   containing information of diagnosis, prescriptions, or treatments that could   
   potentially fall under the ambit of HIPAA regulations.    
      
   After Fowler reported his findings to ESHYFT, the firm locked the database   
   down a month later, telling him it was, "actively looking into this and   
   working on a solution.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/thousands-of-healthcare-records-exposed   
   -online-including-private-patient-information   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426