Health-tech provider Logezy has come under fire for a significant data exposure incident affecting nearly 8 million records related to UK healthcare workers. The incident was uncovered by ethical hacker Jeremiah Fowler, who discovered that sensitive information had been left unsecured in an accessible database.
The exposed records included a mix of both structured and unstructured data, ranging from work authorization documents to images of drivers’ licenses. Logezy, a company that handles employee data management including compliance and payroll, has reaffirmed its commitment to protecting sensitive client information. However, the lack of password protection and encryption raises critical concerns about data security protocols in place.
Fowler reported the findings to Logezy immediately, stating, “I do not download the data I discover.” Following the report, the company promptly removed the accessible database. While Fowler stresses that he implies no wrongdoing by the company, he outlined various risks associated with the breach, suggesting the potential for ransomware and social engineering attacks directed at healthcare firms.
Moreover, there is uncertainty whether Fowler was the first to discover the exposed database. Should unauthorized access have occurred prior to his findings, the ramifications could have included data exfiltration used in phishing attacks, risking protected health information (PHI) of multiple patients. The incident underscores the pressing need for enhanced data security measures in healthcare organizations, especially considering studies that reveal significant financial losses due to cyberattacks.
Fowler has recommended against the current storage strategies, advocating for better segmentation and encryption of sensitive records. “Companies collecting records from multiple business sources should segment these records in separate cloud storage environments to enhance security,” he suggested. This incident serves as a stark reminder that without robust security measures—such as proper access controls and encryption—sensitive client data remains vulnerable.