Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database that contained over 86,000 records belonging to ESHYFT — a New-Jersey-based HealthTech company that operates in 29 states. This database contained 86,341 records including PII of users. A discovery that I previously covered here.
Erich Kron, Security Awareness Advocate at KnowBe4 had this to say:
“Breaches like this are indicative of the problem with collecting sensitive data without controls to protect it. Not only is the information that has been stolen extremely useful if a bad actor wants to steal one of these individuals’ identity, but it also contains a lot of information that could easily be used in an even more damaging social engineering attack. By having access to information about past jobs, shifts, or similar private life events, a bad actor could easily use it to convince a potential victim that they are from a previous employer, or a potential future employer trying to recruit them. Scams related to employment opportunities are common and can be used to fleece the victims out of money and even more sensitive information.”
“Organizations that handle information such as this have a duty to protect their customers’ information. While it is a temporary inconvenience for an organization to suffer a data breach, the implications of information such as this being lost can impact the victims for a lifetime. Organizations need to address not only technical security controls, but also human risk, which can include misconfiguring security and permissions related to information storage and access, poor software coding practices, or even making unapproved copies of data, among others.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech follows with this:
“There is no excuse for leaving such a sensitive database unprotected, and it has almost certainly been found and copied already by cybercriminals. Our honeypot studies show it takes just a few hours for hackers to find and target exposed databases like this one. Thankfully, none of the data poses a direct threat to data subjects or their finances.”
“Hospitals, clinics, and other healthcare companies are frequently targeted by ransomware gangs and other cybercriminals. Comparitech researchers logged 146 confirmed ransomware attacks on US healthcare companies in 2024, compromising more than 24.8 million records. The average ransom was $1.05 million.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy adds this:
“Unfortunately, it seems like lately it’s another day, another data breach made easy by a misconfigured AWS S3 data bucket. There is simply no excuse for this happening. We’ve seen enough of these data breaches that are enabled by misconfigured data buckets that every database professional should be aware of the issue and they should have educated themselves as to how to better secure these data buckets. Until we see more educational efforts and efforts on the parts of IT professionals, we’ll continue to see these on a regular basis.”
Organizations need to make protecting PII their priority. And if they don’t take that responsibility seriously, then I say fine them and make it so expensive that they are forced to do the right thing. Because these sorts of events are not acceptable.
UPDATE: Martin Jartelius, CISO at Outpost24 had this to say:
“Do your attack surface management and track data leakage in it – otherwise someone else will. In this case someone who responsibly disclosed it later thankfully.”
Jim Routh, Chief Trust Officer at Saviynt follows with this:
“Thanks to Cybersecurity Researcher, Jeremiah Fowler for pointing out the obvious. Customer information for healthcare or any other sector must apply the right level of control to the appropriate data classification. Data classified as restricted or at the highest level must include encryption of data at rest and advanced multi-factor authentication at a minimum.”
Like this:
Like Loading...
Related
This entry was posted on March 14, 2025 at 8:42 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
PII Exposed Online in Healthcare Marketplace Connecting Facilities and Nurses Data Leak
Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database that contained over 86,000 records belonging to ESHYFT — a New-Jersey-based HealthTech company that operates in 29 states. This database contained 86,341 records including PII of users. A discovery that I previously covered here.
Erich Kron, Security Awareness Advocate at KnowBe4 had this to say:
“Breaches like this are indicative of the problem with collecting sensitive data without controls to protect it. Not only is the information that has been stolen extremely useful if a bad actor wants to steal one of these individuals’ identity, but it also contains a lot of information that could easily be used in an even more damaging social engineering attack. By having access to information about past jobs, shifts, or similar private life events, a bad actor could easily use it to convince a potential victim that they are from a previous employer, or a potential future employer trying to recruit them. Scams related to employment opportunities are common and can be used to fleece the victims out of money and even more sensitive information.”
“Organizations that handle information such as this have a duty to protect their customers’ information. While it is a temporary inconvenience for an organization to suffer a data breach, the implications of information such as this being lost can impact the victims for a lifetime. Organizations need to address not only technical security controls, but also human risk, which can include misconfiguring security and permissions related to information storage and access, poor software coding practices, or even making unapproved copies of data, among others.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech follows with this:
“There is no excuse for leaving such a sensitive database unprotected, and it has almost certainly been found and copied already by cybercriminals. Our honeypot studies show it takes just a few hours for hackers to find and target exposed databases like this one. Thankfully, none of the data poses a direct threat to data subjects or their finances.”
“Hospitals, clinics, and other healthcare companies are frequently targeted by ransomware gangs and other cybercriminals. Comparitech researchers logged 146 confirmed ransomware attacks on US healthcare companies in 2024, compromising more than 24.8 million records. The average ransom was $1.05 million.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy adds this:
“Unfortunately, it seems like lately it’s another day, another data breach made easy by a misconfigured AWS S3 data bucket. There is simply no excuse for this happening. We’ve seen enough of these data breaches that are enabled by misconfigured data buckets that every database professional should be aware of the issue and they should have educated themselves as to how to better secure these data buckets. Until we see more educational efforts and efforts on the parts of IT professionals, we’ll continue to see these on a regular basis.”
Organizations need to make protecting PII their priority. And if they don’t take that responsibility seriously, then I say fine them and make it so expensive that they are forced to do the right thing. Because these sorts of events are not acceptable.
UPDATE: Martin Jartelius, CISO at Outpost24 had this to say:
“Do your attack surface management and track data leakage in it – otherwise someone else will. In this case someone who responsibly disclosed it later thankfully.”
Jim Routh, Chief Trust Officer at Saviynt follows with this:
“Thanks to Cybersecurity Researcher, Jeremiah Fowler for pointing out the obvious. Customer information for healthcare or any other sector must apply the right level of control to the appropriate data classification. Data classified as restricted or at the highest level must include encryption of data at rest and advanced multi-factor authentication at a minimum.”
Share this:
Like this:
Related
This entry was posted on March 14, 2025 at 8:42 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.