Cybersecurity researcher Jeremiah Fowler has discovered a major data breach involving ESHYFT, a health tech company based in New Jersey.
The company, which connects healthcare facilities with nursing professionals, had an unprotected database containing over 86,000 records. The exposed data, totaling 108.8 GB, included personal and professional details of healthcare workers.
The database was not secured with a password or encryption, making it accessible to anyone online. It contained profile images, work schedules, professional certificates, CVs, tax-related documents, and even medical records uploaded by users. A spreadsheet held over 800,000 entries detailing nurse IDs, facility names, shift schedules, and work hours. Some documents appeared to include medical reports related to missed shifts or sick leave, potentially containing protected health information.
Fowler reported the breach to the company immediately, but the database remained publicly accessible for more than a month before ESHYFT restricted access. It is unclear whether the company or a third-party contractor managed the database or if unauthorized individuals accessed the data. The exposure poses risks such as identity theft, financial fraud, and phishing attacks targeting healthcare professionals.
