Data exposure on healthcare staffing app leaves over 108 GB of information open to internet

A database containing thousands of healthcare related records was left open to the internet, a researcher found.

Staffing agency app ESHYFT, which provides professionals with a mobile platform on which to connect to long-term care centers for per diem work, had a 108.8 GB, 86,341 record database publicly exposed and free of password protection for an unknown amount of time before Cybersecurity Researcher Jeremiah Fowler discovered it.

Red alert. Fowler, reporting on the breach on Website Planet, said that he alerted ESHYFT of the breach and that it was closed “over a month later.” Fowler added that he did not download any of the data and that there was no sign that anyone had accessed the information.

Fowler reported that in a limited sampling of the data, he found medical documents, Social Security cards, profile and facial images, and various other examples of PII.

“One single spreadsheet document contained 800,000+ entries that detailed the nurse’s internal IDs, facility name, time and date of shifts, hours worked, and more,” Fowler wrote.

Travel time. ESHYFT is available in 27 states. While the demand for traveling nursing is no longer at the peak it was during the pandemic, the traveling nursing market dropped 40% in 2023 from 2022. Akin Demehin, the American Hospital Association’s senior director of quality and patient safety policy, noted last year that full-time work is becoming more of a priority to healthcare centers.

Decline aside, there’s still a demand for travel nurses and other healthcare professionals, so the data exposure is troubling. As Fowler wrote, “workers who perform offline jobs (like nursing) are now integrated with online technology, and healthtech companies need to implement robust privacy safeguards to bridge the gap securely.”

“As more hospitals and healthcare workers depend on technology for data storage, care management, and employment, the need for increased cybersecurity measures across the entire industry is inescapable,” Fowler wrote, adding, “In my opinion, the data and PII of the doctors, nurses, and staff are equally as important as the healthcare facilities themselves.”