Recently I discovered a non-password protected database that contained a total of 170,239 records. The data contained details of medical workers, nurses, and caregivers. These employee profiles exposed names, phone, email, home addresses. The accounts also contained links to images of the employees, and files that indicated credentials, and tax documents (SSN / Social Security Number).
There were multiple references to Gale Healthcare Solutions. We immediately sent a responsible disclosure notice to multiple addresses and public access was closed the same day.
According to their website “The Gale app uses the latest mobile technology to connect healthcare facilities in need of clinical talent with our large network of local available nurses and caregivers. With Gale, facilities can fill open shifts within seconds, easily stay on top of compliance and never worry about short-staffing again”.
On on September 7th I sent two separate responsible disclosure notices to multiple individuals at Gale Health outlining our findings and the database was closed shortly after, but unfortunately no one ever replied. In my experience it is very rare and not recommended from a privacy standpoint to ever use real data for testing purposes under any circumstances. I made several phone calls to individuals inside the records and validated that these were real people who matched the names in the files, and the image link contained the same names. We had no reason to doubt that this was not real data and when the name, images, addresses, and phone numbers all appeared to be real it is logical to assume that the SSN could also be real. We only state in our report that the numbers were labeled as an “SSN” and highlight the dangers of any organization using sensitive data in file names as an educational message to the security community.
Gale Health has disputed our findings but it is a fact that an estimated 70 – 90 % of breaches are caused by social engineering attacks and here was a massive list of emails and phone numbers of real healthcare workers that could be targeted by cyber criminals with insider information. A simple phone call saying ” I am John from Gale Healthcare Solutions and I need to verify your information”. Then the criminal reads them their address, email, and asks for the SSN or bank account information. This is how a classic targeted social engineering attack happens and often the victim has no reason to doubt the call because they are given information that only a representative of the organization would know including first date worked and notes of where they worked. There is still considerable security risks with this data incident.
We only publish what we found, who it belongs to and potential risks and in good faith try to secure publicly exposed data. It was unusual that we did not receive a reply from anyone at Gale Heath acknowledging or denying our findings. In my experience of reporting thousands of data exposures organizations are very quick to report test data often thanking security researchers for finding any vulnerabilities. When it comes to data protection our goal is to raise awareness for the affected individuals and help protect their personal information. Data security is important and so is protecting the individual information of front line healthcare workers.
Stay ahead of cyber threats with Security Discovery. We offer expert consulting, comprehensive services, and a powerful vulnerability monitoring SaaS platform. Protect your business proactively - get in touch today for personalized digital security solutions.