Recently I discovered a non-password protected database that contained a total of 170,239 records. The data contained details of medical workers, nurses, and caregivers. These employee profiles exposed names, phone, email, home addresses. The accounts also contained links to images of the employees, and files that indicated credentials, and tax documents (SSN / Social Security Number).
There were multiple references to Gale Healthcare Solutions. We immediately sent a responsible disclosure notice to multiple addresses and public access was closed the same day.
According to their website “The Gale app uses the latest mobile technology to connect healthcare facilities in need of clinical talent with our large network of local available nurses and caregivers. With Gale, facilities can fill open shifts within seconds, easily stay on top of compliance and never worry about short-staffing again”.
On on September 7th I sent two separate responsible disclosure notices to multiple individuals at Gale Health outlining our findings and the database was closed shortly after, but unfortunately no one ever replied. In my experience it is very rare and not recommended from a privacy standpoint to ever use real data for testing purposes under any circumstances. I made several phone calls to individuals inside the records and validated that these were real people who matched the names in the files, and the image link contained the same names. We had no reason to doubt that this was not real data and when the name, images, addresses, and phone numbers all appeared to be real it is logical to assume that the SSN could also be real. We only state in our report that the numbers were labeled as an “SSN” and highlight the dangers of any organization using sensitive data in file names as an educational message to the security community.
Gale Health has disputed our findings but it is a fact that an estimated 70 – 90 % of breaches are caused by social engineering attacks and here was a massive list of emails and phone numbers of real healthcare workers that could be targeted by cyber criminals with insider information. A simple phone call saying ” I am John from Gale Healthcare Solutions and I need to verify your information”. Then the criminal reads them their address, email, and asks for the SSN or bank account information. This is how a classic targeted social engineering attack happens and often the victim has no reason to doubt the call because they are given information that only a representative of the organization would know including first date worked and notes of where they worked. There is still considerable security risks with this data incident.
We only publish what we found, who it belongs to and potential risks and in good faith try to secure publicly exposed data. It was unusual that we did not receive a reply from anyone at Gale Heath acknowledging or denying our findings. In my experience of reporting thousands of data exposures organizations are very quick to report test data often thanking security researchers for finding any vulnerabilities. When it comes to data protection our goal is to raise awareness for the affected individuals and help protect their personal information. Data security is important and so is protecting the individual information of front line healthcare workers.
What Data Was Exposed:
- Total Number of Records: 170,239 in two folders. Contacts 139k and Employees 31.5k. (In a large sampling of records it appears these were unique and without duplicates)
- Internal records that include first and last names, phone, emails, home addresses, hire dates, apply dates, skill level, and some had detailed notes of incidents and terminations.
- Passwords in plain text, usernames appeared to be the user’s name or email address that was also listed in the account. We assume this allowed access into the application or employee portal.
- links to AWS storage accounts that contained photos of the employee and files named “SSN Card” or “credentials”
- Images were in a format that contained the employees’ full name and a number titled “SSN” in the file name. Here is an example of a file name : https://REDACTED.com/gale-registration-documents/documents/Jane-Doe-CNA/Jane_Doe-CNA-SocialSecurityCard-123456789.jpeg
- This exposed data could be used for a range of crimes including identity theft, scams, and extortion. With email addresses cyber criminals could launch a targeted phishing campaign or social engineering attack using insider information to establish trust.
- The storage files also exposed where the data is stored and the sub folders that could have been a secondary target.
- Detailed records of the discipline, firing, and other work related problems that should not be publicly exposed.