Thousands of US medical professionals have data exposed in major data breach

A medical professional working on a digital device with icons floating in the air.

Image Credit: Shutterstock (Image credit: Shutterstock)

Researchers have found a database backup belonging to Florida-based recruitment company MNA Healthcare left unsecured online, leaving the details of thousands of workers open to anyone.

The company offers staffing services for healthcare workers and matches them with hospitals and organizations across nine states.

Experts at Cybernews noted the leaked information included full names, addresses, phone numbers, job titles, work experience, and encrypted Social Security numbers (SSNs). Of course, the SSNs are particularly worrying, as the personally identifiable information can be used by criminals to carry out fraudulent activities and presents a risk of identity theft.

A vulnerable industry

The encryption on the SSNs used ‘mcrypt’, which is often used by the Laravel Web application framework, and researchers discovered an exposed environment file containing the Laveral App Key. These findings suggest it would be possible to decrypt the SSNs, putting those affected at risk.

The leaked details from the recruitment company included info from 11,000 hospitals, 14,000 doctors accounts, 37,000 potential leads, and 11,000 job applications.

“The data leak causes further concerns regarding the company's infrastructure security as the database backup for their platform was improperly stored, as well as a configuration file containing the key likely used to decrypt SSNs," Aras Nazarovas, a security researcher at Cybernews confirmed.

It’s not clear how the information was exposed, but the breach could leave victims vulnerable to phishing attacks or scams. The healthcare industry is a particularly popular target since services are so crucial, with malicious actors hitting hospitals at an unprecedented rate.

Since doctors tend to be high earners, they are attractive targets to cyber criminals. With personally identifiable information like SSNs, full names, addresses, and phone numbers, malicious actors could engage in financial fraud, credential stuffing, or identity theft. We recommend taking a look at identity theft protections to safeguard your data.

More from TechRadar Pro

We've listed the best medical practice management software
Battling identity theft: effective strategies to keep fraudsters at bay
Exploring modern Hacktivist tactics, a threat to digital infrastructure

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.