An IT professional has discovered that the US healthcare company Health Stream left exposed online contact information for roughly 10,000 medics.
Wethern reported his discovery to Health Stream ten days ago, he explained that the data are hosted one of the websites that have been removed.
Records in the archive left open online includes last names of medics connected to Health Stream’s Neonatal Resuscitation Program, their email addresses, and ID numbers.
The site hosting the medics’ records was taken offline shortly after Wethern reported the data leak, but even if the website is no more accessible, leaked data are still available in different online caches.
Leaked data could be used by threat actors to launch a spear phishing campaign against medics at Health Stream.
“What I found was a front-side database,” Wethern told El Reg. “I don’t need their passwords … because I have the front-side database.”
Wethern decided to disclose the data leak to warn of the risks of such kind of incidents and highlight the importance of reserving a budget for cybersecurity of IT infrastructure.
“Hire a basic researcher, first and foremost. Allow your company to budget for these types of intrusions,” Wethern added.
“And before this all happens, make sure to have a data breach summary in place. Be current with bug bounty programs, own up to your mistakes, and honor the fact that security researchers can be good people out to do good things.”
Health Stream did not comment the data leak.
(Security Affairs – Health Stream, data leak)