According to security expert Jeremiah Fowler and a group of ethical hackers from Website Planet, more than 30,000 US healthcare employees’ personal details were recently exposed owing to a non-password secured database. Fowler identified a Gale Healthcare Solutions database with 170,239 exposed entries, including names, emails, home locations, photographs, and, in some instances, Social Security numbers and tax paperwork.
Gale Healthcare Solutions is a Tampa, Florida-based internet firm that links healthcare employees with employers needing to fill specific hours. Fowler said that the data includes forms relating to particular occurrences, punishment, and terminations. Due to the sensitive nature of SSNs, he did not believe it was proper to ask victims for their SSN or ask them to authenticate the details.
Gale Healthcare Solutions first declined to comment, but after this story was published, they issued a statement contradicting part of what Fowler and Website Planet discovered. According to the company, the database was a “temporary environment created for an internal system test.”
Website Planet’s Fowler and other ethical hackers look for significant data leaks by randomly analyzing open, unsecured databases. They never target specific firms. Medical staff, nurses, and caretakers were included in the 170,239 records. As per a study by Fowler, internal email addresses, usernames, and administrator passwords were saved in plain text.
Fowler and his team called Gale, and public access to the databases was shut down the same day. The company never answered their questions. During the database analysis, Fowler discovered that several administrative accounts had weak passwords, noting that “Password” occurred 2,921 times in a sample of 10,000 entries.
Fowler stated that it’s unknown how long the database was available or who else could have viewed it. Gale has not responded to demands for comment on whether any healthcare personnel who may have had their personal information exposed have been alerted. According to him, the Florida Information Protection Act of 2014 requires the firm to notify victims.