Incident & Breach Response , Security Operations
Researcher: Healthcare Staffing Database Exposed Worker PII
Firm Disputes Details of What Was Contained in DatasetsA security researcher says a misconfigured, non-password-protected database of a healthcare staffing company potentially exposed on the internet the personal information in about 170,000 medical worker records. The staffing firm, however, disputes the details of what was allegedly contained in the database.
See Also: Gartner Market Guide for DFIR Retainer Services
In a report issued Wednesday, researcher Jeremiah Fowler of security firm Security Discovery says he and his research team recently discovered a non-password-protected database belonging to Tampa-based healthcare staffing firm Gale Healthcare Solutions.
Fowler alleges the database contained more than 170,000 records of nurses, caregivers and other medical workers, including employee profiles featuring names, phone numbers, email addresses and home addresses, as well as links to images of the employees, files that indicated credentials, and tax documents, such as Social Security numbers.
Some of the internal records also included employee hire dates, application dates, skill level, and in some cases, detailed notes about incidents and terminations, he alleges.
The exposed dataset also contained multiple references to "UseGale" files and included internal email addresses, usernames and administrative passwords in plain text, he says.
"There were records in the folder named 'Employees' that contained the @usegale.com domain with indications of 'internal corp employee.'"
Fowler says the domain is used by Gale Healthcare Solutions to promote its mobile application. Upon discovery of the database, Fowler says his team immediately sent a disclosure notice to the company's multiple addresses and public access to database was closed the same day.
Fowler's report says that the researchers were uncertain exactly how long the data database had been exposed. But he tells Information Security Media Group that he suspects it was "not long - only because I didn’t see any automated ransomware messages that can usually appear in as fast as one to two days."
Gale Healthcare Solutions Statement
Gale Healthcare Solutions in a statement to ISMG on Friday disputes some of the allegations about what was contained in the exposed database discovered by Fowler and his research team.
"Contrary to the report findings, Social Security numbers were not used in the file names, nor disclosed," Gale Healthcare says.
"Rather, file names featured auto-generated sequential ten-digit Unix timestamps that were used in the testing environment. Dates of birth were also not disclosed, and to our knowledge, the accounts did not contain active links to images of tax documents or other credentials," the company says.
"There is no evidence there was any further unauthorized access beyond the researcher or that any personal data has been, or will be, misused. Data security and privacy is a core commitment for our company. We take that commitment very seriously, and continue to take strides to protect all clinician data that we hold."
Fowler did not immediately respond to ISMG's request for comment on Gale Healthcare's statement refuting what was contained in the database.
Risky Exposure
One type of information that was definitely not contained in the exposed Gale Healthcare Solutions was patient information, Fowler says.
And because the incident did not involve protected health information, it is not a reportable HIPAA breach, says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
Most states, however, require that consumers be notified when their Social Security number, credit card or banking information is compromised, he says.
According to Holtzman, "Some states require organizations to begin notifying affected consumers in as few as 15 days after discovery of the breach while others have open-ended requirements for communicating news about incidents."
He says the type of information compromised through any security incident, including those involving a professional staffing organization, can be tremendously damaging to affected individuals because it can put them at risk for identity theft and financial fraud, he says.
"When collecting sensitive PII, the organization should carefully assess why the information is being collected and minimize access to the data to only those with an appropriate role in the organizations," he says.
Holtzman also says organizations should not create unnecessary or duplicative collections of sensitive personally identifiable information - including information stored on backup servers, network drives or unencrypted drives or applications - and should securely delete electronic files containing sensitive PII that is no longer needed, wherever it is stored.