Cybersecurity researcher Jeremiah Fowler and a team of ethical hackers with Website Planet have unearthed a non-password-protected database that exposed the private details of more than 30,000 US healthcare professionals.
Gale Healthcare Solutions, Florida based tech firm maintains a database with 170,239 exposed records that include names, emails, home addresses, photographs, as well as Social Security Numbers and tax papers. The leaked data also included forms about certain incidents, disciplines, and termination. Owing to the cyberattack, the trade volume of the company has gone down, CoinGecko CEO Bobby reported. “Crypto exchange hacks are fairly common. Exchanges are a honeypot for hackers because of the high potential payoff for any successful exploit,” he said.
"We only reviewed a limited sampling of documents and did not review each and every file. The files were hosted on an AWS cloud server, and many of the registration documents were open and publicly accessible," Fowler told ZDNet.
"The images I saw were usually of the healthcare worker's face or ID badge, but the URL contained their full name, SSN, and a number consistent with an SSN. I called several individuals and validated only that these were real people and their information matched that in the files."
Due to the high confidentiality of the SSN, it was not appropriate to inquire the victims or ask them to validate their data, the researcher explained.
"These people have a hard enough job without a random stranger calling them and reading out their SSN to them. If the names, phone numbers, and locations of these individuals matched those who I called and validated, it is logical to assume that the number indicated as SSN would most likely be real," he added.
"I can only speculate that someone at Gale likely assumed this would make content management easier if the link had all needed information and could be easily indexed in a readable format and not a more secure unidentifiable internal code ID structure. They also overlooked that these URL paths and file names were not secure or private. Even if the images did not contain pictures of SSN cards, exposure in the numerical text of the image name is just as much of privacy risk and identity threat."
Initially, the firm did not answer requests for comment, but after this story was posted, it sent a statement disputing some of what Fowler and Website Planet discovered.
"When the researcher notified us of a potential vulnerability in September, the environment had already been deactivated and secured. There is no evidence there was any further unauthorized access beyond the researcher or that any personal data has been, or will be, misused," the company stated.
According to Gale, they haven’t determined how long the database was open to the public and who else may have accessed it. However, the researcher refused to comment about whether they have notified any healthcare professionals who may have had their personal details leaked. He said the firm is obliged to notify victims as part of the Florida Information Protection Act of 2014.