Unprotected Database Exposes 170K Healthcare Staffing Records

December 01, 2021 - UPDATE 12/3/21: Gale Healthcare Solutions provided an update to HealthITSecurity.

"The database was a temporary environment created for an internal system test. When the researcher notified us of a potential vulnerability in September, the environment had already been deactivated and secured. There is no evidence there was any further unauthorized access beyond the researcher or that any personal data has been, or will be, misused," the statement explained.

"Contrary to the report findings, Social Security Numbers were not used in the file names, nor disclosed. Rather, file names featured auto-generated sequential ten-digit Unix timestamps that were used in the testing environment. Dates of birth were also not disclosed, and to our knowledge, the accounts did not contain active links to images of tax documents or other credentials. Data security and privacy is a core commitment for our company. We take that commitment very seriously, and continue to take strides to protect all clinician data that we hold."

---
Researcher Jerimiah Fowler, along with the research team at Website Planet, announced that they discovered an unprotected database containing more than 170,000 healthcare staffing records from Gale Healthcare Solutions, a Florida-based healthcare staffing company.

The data contained personally identifiable information of medical workers, nurses, and caregivers. If obtained by bad actors, the information could be used to commit identity theft and extortion, among other crimes.

Fowler, the cofounder of security research and consulting firm Security Discovery, regularly works with Website Planet to ethically uncover and expose security risks and data leaks.

“We use a wide range of internally developed tools and methods, as well as open-source tools to discover data exposures,” Fowler explained in an email conversation with HealthITSecurity.

“We never circumvent password protections, and our findings can often be seen without any special software. In many cases this data can be seen with nothing more than a web browser. In this particular case, Gale Healthcare Solution's database was misconfigured. This sometimes happens when an Admin opens up remote access and accidentally opens access for everyone.”

The research team discovered passwords in plain text, links to AWS storage accounts containing photos of employees, and detailed records with discipline and firing information.

Ethical researchers found the leak, but consequences could have been much worse if bad actors obtained the data. Researchers immediately sent a responsible disclosure notice to Gale Healthcare Solutions and public access was closed the same day.

“We are not implying any wrongdoing by Gale Healthcare Solutions, their partners, or users and we are highlighting our discovery to raise data protection awareness and promote cybersecurity best practices,” the report said.

At the time of publication, the report stated that it was unclear how long the database was exposed and who else may have had access to the records. It is also unclear whether the impacted individuals were notified of the potential exposure as required by the Florida Information Protection Act of 2014 (FIPA).

"Cybersecurity is particularly important for the healthcare industry at large. Health organizations, both large and small, must do everything they can to protect both its medical professionals and the patients in their care,” Fowler emphasized.

“When you're handling medical, billing and other highly personal information (like SSNs), you have a great responsibility to guard this data from cyber criminals. This particular breach left medical workers vulnerable to identity theft, scams and extortion because their personal information should have been encrypted differently.”

Data breaches continue to increase in volume and severity across the healthcare sector. The ten largest healthcare data breaches of 2021 impacted a total of 40 million individuals and exposed them to potential security and privacy risks.

“In terms of practical advice, healthcare IT teams must make sure that media links such as pictures or documents are password-protected,” Fowler advised.

“Never label documents with anything that indicates personally identifiable information or sensitive identification numbers. Members of the security team should regularly check IP addresses for open ports or public access."