Global Edition
Privacy & Security

Report: Healthcare staffing info leak exposes 170K records

Cybersecurity researchers note that the vulnerable database appeared to be linked to Gale Healthcare Solutions, which connects medical facilities with available caregivers.
By Kat Jercich
December 01, 2021
01:54 PM

Photo: Pixabay/Pexel Images

[Ed. note: This piece has been updated with a statement from Gale Healthcare Solutions.]

Cybersecurity researchers this week released a report detailing a leak that appeared to expose the data of thousands of medical workers, nurses and caregivers.   

According to the report, released by Security Discovery cofounder Jeremiah Fowler and Website Planet, the database, which was not password-protected, seemed to be linked to Gale Healthcare Solutions, which connects facilities with locally available nurses and caregivers.

"These employee profiles exposed names, phone, email, home addresses. The accounts also contained links to images of the employees, and files that indicated credentials, and tax documents (SSN/Social Security Number)," wrote Fowler in the report.

In a statement sent to Healthcare IT News after press time, Gale representatives said the database was a temporary environment created for an internal system test.

"When the researcher notified us of a potential vulnerability in September, the environment had already been deactivated and secured," said representatives. "There is no evidence there was any further unauthorized access beyond the researcher or that any personal data has been, or will be, misused."

WHY IT MATTERS

As outlined by Fowler, the 170,239 records were contained in two folders, comprising 139,000 records of contacts and 31,500 of employees.

The exposed data included:

  • Internal records including first and last names, phone, emails, home addresses, hire dates, apply dates, skill level and in some cases detailed notes of incidents and terminations.
  • Passwords in plain text, with usernames appearing to be the user’s name or email address that was also listed in the account.
  • Links to AWS storage accounts that contained photos of the employee and files named “SSN Card” or “credentials.”  

Fowler also said that images linked in accounts were named in a format that contained the employees’ full name and a number titled "SSN" in the file name, such as "Jane_Doe-CNA-SSN-123456789.jpeg."

He drew attention to the uncommon nature of such a labeling system, saying that the file theoretically wouldn't have to be opened to expose sensitive information.   

"This exposed data could be used for a range of crimes including identity theft, scams, and extortion," wrote Fowler. "With email addresses cyber criminals could launch a targeted phishing campaign or social engineering attack using insider information to establish trust."

Gale representatives disputed these particular assertions.

"Contrary to the report findings, Social Security Numbers were not used in the file names, nor disclosed. Rather, file names featured auto-generated sequential ten-digit Unix timestamps that were used in the testing environment," they said. 

"Dates of birth were also not disclosed, and to our knowledge, the accounts did not contain active links to images of tax documents or other credentials," the representives added.

Fowler pointed to the potential danger of the exposed information from an identity theft perspective, in addition to passwords – which are often reused.  

"It is unclear how long the database was exposed and who else may have gained access to the publicly accessible records. It is also unclear if medical workers or authorities were notified of the potential exposure as required by Florida Information Protection Act of 2014 (FIPA)," Flower wrote. Gale is headquartered in Tampa.  

Fowler said that upon discovery, his team immediately sent a disclosure notice to Gale Healthcare Solutions. Public access was closed the same day.  

"We are not implying any wrongdoing by Gale Healthcare Solutions, their partners, or users and we are highlighting our discovery to raise data protection awareness and promote cybersecurity best practices," he said.  

"Data security and privacy is a core commitment for our company. We take that commitment very seriously, and continue to take strides to protect all clinician data that we hold," said Gale representatives in a statement.

THE LARGER TREND  

Fowler has drawn attention to similar apparently vulnerable databases in the past.   

This summer, he and Website Planet flagged a database containing more than one billion CVS Health records that had not been password protected.

In August, a research team from UpGuard also drew attention to a data leak from Microsoft Power Apps containing 38 million records.  

ON THE RECORD  

"Any service that allows hospitals to fill their shifts is extremely important and valuable to sick patients. It is unfortunate that this incident may have exposed the data of frontline workers during an already difficult time," wrote Fowler.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Mobile, Privacy & Security, Workforce

More regional news

VA building signage

House passes veterans healthcare package without RESET Act

By
Andrea Fox
November 21, 2024
David Miles of Oklahoma Heart Hospital

Deep dive: A tour of all-digital Oklahoma Heart Hospital, where automation is the norm

By
Bill Siwicki
November 21, 2024
Healthcare workers looking at X-ray images on monitors

Streamlining healthcare operations with multicloud-by-design

November 21, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

VA building signage
House passes veterans healthcare package without RESET Act

Most Read

HMIS integration with other public HIS sought and more India briefs
Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
ASTP intros 2024 draft Federal FHIR Action Plan
CrowdStrike all but assures Capitol Hill: Never again
Korea's largest hospital bags APAC's first Stage 6 of new INFRAM

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards

More Stories

BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards
Clinicians look at diagnostic imaging
American College of Radiology launches AI quality registry
A doctor with glasses sits at a desk and speaks during a telehealth visit.
DEA and HHS extend virtual prescribing for controlled substances through 2025
Dr. Jay Anders at Medicomp Systems_Computer chip with stethoscope Photo by Just_Super/iStock/Getty Images Plus
Transparency and responsible AI are crucial for medical devices
George Pappas of Intraprise Health on cybersecurity
How to protect telemedicine from cyberattacks