Thought Leadership
A massive data leak at a Florida-based recruitment agency has affected thousands of hospitals and medical professionals.
On June 20, the Cybernews research team discovered an open web directory that contained a database backup of the company MNA Healthcare. MNA Healthcare specializes in the placement of medical personnel and operates its business in nine US states.
Cause of the leak
The leak was caused by an incorrect configuration of the systems, which made sensitive files publicly accessible. The affected database backup was dated June 2, 2024 and contained a lot of personal information that puts doctors and nurses at risk.
Which data was affected?
The data disclosed includes:
- Full names
- Addresses
- Telephone numbers
- E-mail addresses
- Dates of birth
- Professional experience
- Assigned jobs
- Communication with MNA Healthcare
- Encrypted social security numbers (SSNs)
- Hashed temporary passwords
As doctors in the USA earn an average of around 350,000 US dollars per year, they are a particularly lucrative target for cyber criminals. The sensitive data could be used to hack accounts, commit identity theft or carry out financial fraud.
Risk of identity theft
Particularly alarming: the encrypted social security numbers (SSNs) of the affected employees were also leaked. Although they were encrypted, it turned out that the encryption used was insecure due to a vulnerability.
The company had disclosed a file that could contain the key to decrypt this data. This means that criminals could possibly decrypt the SSNs and use them for identity theft.
Fraudsters can use a stolen SSN to take out loans, file fake tax returns or apply for social security benefits, for example.
Security concerns
According to Aras Nazarovas, security expert at Cybernews, the data leak raises serious questions about MNA Healthcare’s IT security: “The incorrect storage of the database backup and the unprotected configuration file point to further security gaps in the system.”
The vulnerability has now been closed, but the company has yet to make an official statement.
This incident shows how important it is for companies to take the security of their systems seriously in order to protect the data of employees and customers.
