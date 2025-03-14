Security researcher finds finds huge non-password-protected database online

It contained personally identifiable information, as well as medical data

The database was since locked down

ESHYFT, a technology platform designed for nurses across the United States, reportedly kept an unprotected database online, exposing thousands of sensitive records to anyone who knew where to look.

Security researcher Jeremiah Fowler found the database, which contained 86,341 records, and that it exceeded 100 GB in size. The archive contained all sorts of sensitive data, from names and IDs, to medical reports, and more.

ESHYFT is a technology platform that connects nurses (CNAs, LPNs, and RNs) with per diem shifts at long-term care facilities across the US, offering flexible work opportunities for healthcare professionals and a reliable staffing solution for facilities.

Addressing the problem

It is not known for how long the database remained unprotected, or if any threat actors accessed it before Fowler did. We also don’t know if ESHYFT maintains the database itself, or if it outsourced it to a third party.

“In a limited sampling of the exposed documents, I saw records that included profile or facial images of users, .csv files with monthly work schedule logs, professional certificates, work assignment agreements, CVs and resumes that contained additional PII,” Fowler explained, noting he reported it to both Website Planet, and later - ESHYFT.

“One single spreadsheet document contained 800,000+ entries that detailed the nurse’s internal IDs, facility name, time and date of shifts, hours worked, and more.”

“I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.”

After Fowler reported his findings to ESHYFT, the firm locked the database down a month later, telling him it was, "actively looking into this and working on a solution”.