Misconfigured AWS S3 bucket exposes US nurses’ data

New Jersey-based health tech firm ESHYFT, which offers a mobile app touted as an Uber-like service for nurses across over two dozen U.S. states, had 108.8 GB of nurses' data inadvertently leaked for months by an unprotected Amazon AWS S3 bucket, reports The Register.

Included in the 86,341 records exposed by the database — which was confirmed to have been secured last week, or two months after being detected — were nurses' user profile photos and facial images, scanned Social Security cards and driver's licenses, professional certificates, CVs, monthly work schedule log-containing CSV files, diagnoses, prescription records, and disability insurance claims, according to an analysis by cybersecurity researcher Jeremiah Fowler published on Website Planet.

ESHYFT also had a spreadsheet with over 800,000 entries containing nurses' IDs, facility names, shift times and dates, and working hours exposed, said Fowler, who remains uncertain about the ownership of the misconfigured database.

Fowler also noted that the growing prevalence of unintentional compromise stemming from open databases should prompt the immediate encryption of sensitive documents that could be later decrypted using a time-limited access token.