Researchers have found a database backup from Florida-based recruiting firm MNA Healthcare that was left unsecured online, leaving thousands of employee details accessible to anyone.
The company provides staffing services for healthcare workers, connecting them with hospitals and organizations in nine states.
Experts at Cyber News noted that the leaked information included full names, addresses, phone numbers, job titles, work experience, and encrypted Social Security numbers (SSNs). Of course, the SSNs are particularly concerning because the personally identifiable information can be used by criminals to conduct fraudulent activities and poses a risk of identity theft.
A vulnerable industry
The encryption on the SSNs used ‘mcrypt’, which is commonly used by the Laravel Web application framework, and researchers discovered an exposed environment file containing the Laravel App Key. These findings suggest that it may be possible to decrypt the SSNs, putting those affected at risk.
The leaked data from the recruitment agency included information from 11,000 hospitals, 14,000 physician accounts, 37,000 potential leads and 11,000 job applications.
“The data breach raises further concerns about the security of the company’s infrastructure, as the database backup for their platform was improperly stored, as well as a configuration file containing the key likely used to decrypt SSNs,” confirmed Aras Nazarovas, a security researcher at Cybernews.
It is not clear how the information was exposed, but the breach could leave victims vulnerable to phishing attacks or scams. Healthcare is a particularly popular target because services are so critical, with Malicious actors attacking hospitals at an unprecedented pace.
Because doctors are typically high earners, they are attractive targets for cybercriminals. With personally identifiable information such as social security numbers, full names, addresses, and phone numbers, malicious actors can commit financial fraud, credential stuffing, or identity theft. We recommend taking a look at protection against identity theft to protect your data.