Thousands of health records exposed online, including private patient information.

A security researcher has found an online database that was not password-protected, significantly exposing personal information and medical data. This database belonged to ESHYFT, a technology platform focused on connecting nurses with job shifts in long-term care facilities in the United States.

Jeremiah Fowler, the researcher who discovered the database, indicated that it contained a total of 86,341 records and occupied more than 100 GB of space. It included sensitive data such as names, identifications, and medical reports, among others. ESHYFT, for its part, offers flexible job opportunities for healthcare professionals, in addition to being a reliable staffing solution for facilities.

So far, it has not been confirmed how long the database was exposed or whether malicious actors accessed it before Fowler. It also remains unclear whether ESHYFT is responsible for managing the database or if it was outsourced to an external entity.

The researcher noted that in a limited sample of the exposed documents, there were user profiles or images, .csv files with records of monthly work schedules, professional certifications, job assignment agreements, and resumes that contained personal information. In particular, a spreadsheet document contained over 800,000 entries with details about internal nurse identifications, facility names, shift schedules, and hours worked, among other data.

Fowler also observed medical documents that appeared to have been uploaded to the application, possibly as justification for absences or medical leaves. These files included medical reports that included diagnoses, prescriptions, or treatments, which could be subject to HIPAA regulations.

After reporting these findings to ESHYFT, the firm managed to restrict access to the database a month later, assuring that they were "actively investigating and working on a solution."