Over 86,000 healthcare worker records leaked in ESHYFT's unsecured S3 Bucket
Learn More
A significant data leak has been identified affecting ESHYFT, a New Jersey-based healthcare technology company. The company, which describes itself as "like an Uber for nurses," connects certified nursing assistants (CNAs), licensed practical nurses (LPNs), and registered nurses (RNs) with per-diem shifts at hospitals and long-term care facilities through its mobile application.
Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected, unencrypted Amazon S3 bucket containing sensitive data belonging to ESHYFT. Despite Fowler immediately notifying the company, the database remained publicly accessible for over a month before finally being secured on March 5th 2025. The exposed database contained 108.8 GB of data with 86,341 records.
The exposed database contained sensitive information, including:
- User profile pictures and facial images (some showing medical IDs and credentials)
- Scanned copies of driver's licenses
- Social Security cards
- Professional certificates
- Work assignment agreements
- CVs and resumes
- Medical diagnoses and prescription records
- Disability insurance claims
- Work schedules and timecards
- User addresses
- Information on "disabled users"
- Monthly work schedule logs
This data exposure occurred in an industry that is already heavily targeted by cybercriminals. Hospitals and healthcare facilities are regularly victimized by ransomware crews and other malicious actors seeking to steal personal and health information. The exposed data could potentially be used for identity theft, employment fraud, financial fraud, or highly targeted phishing campaigns.
After being notified, ESHYFT acknowledged the report with the statement: "Thank you! we're actively looking into this and working on a solution." However, it took over a month for the database to be secured from public access. It remains unclear whether ESHYFT or a third-party contractor owned and managed the database.
The company has not publicly disclosed the breach, and there is no information available about whether affected individuals have been notified.
