'Uber for nurses' exposes 86K+ medical records, PII in open S3 bucket for months More than 86,000 records containing nurses' medical records, facial images, ID documents and more sensitive info linked to health tech company ESHYFT was left sitting in a wide-open misconfigured AWS S3 bucket for months — or possibly even longer — before it was closed it last week. Cybersecurity researcher Jeremiah Fowler …
Much like how Uber for taxis uses their app to drive down wages for the people doing the work, Uber for nurses — of which this company is one of several — has been accused of purchasing credit information for nurses and using that information to figure out how desperate they are and how little they can be paid.
https://rooseveltinstitute.org/publications/uber-for-nursing/
"* Did this company collect all this PHI which they did not need to broker these temporary nursing gigs?"
They actually might need to have some medical information that pertains to required screening nurses have to go through. You don't want it discovered late that your nurse with all of the tattoos picked up hepatitis or another something they could share with others.
Other workers such as pilots and HGV drivers must maintain a health certificate as a requirement of their license.
If it's anything like the data that education is supposed to collect, then it's because of some stupid "we have to have statistics" rule that is purely to justify spending.
(Old job. Adult education enrollment "form" gained a field every year, or less. Most of which no one is legally required to answer. But if don't have figures you don't get paid.)
This here is the American definition of "efficency" and why people are panicking about Afrikaner Cartman being loose to create such efficency in the government.
During Covid, hospital administrators had to hire extra nurses from agencies as the hospitals were overwhelmed by stable jeanuses. As thanks for their service, some hospitals gave their nurses $20 gift cards, some got pizza parties.
Getting a pizza party as thanks for pullling 60 hours weeks for months while being assaulted by patients because "my buddies on USPatriots.ru said it was a chinese bioweapon! give me ivermectin now!" was judged unsatisifactory by the nurses.
This kickstarted hospital nurses into unionizing and going on strike.
Then the suits had a dilemma: they were facing down actual labor action! Can't have that! They looked back to their contacts in the nursing agencies: "Can you supply us bodies on-demand?"
"Sure" says the agencies.
And so, organizations like this were born. Everyone wanted a piece of undercutting hospital nurses. The suits were happy because they could reduce headcounts of union nurses, the travelling nurses were happy because they were getting paid 5-10x times they would at a hospital, and the middlemen were getting a piece of the action.
Just ignore that it creates ludicrous swings in the quality of care and motivates nurses to be mercenary, remaining only at a hospital for a period of time to be judged experienced before moving on to an agency and getting paid $lol to move about the country, but it reduced union participation and makes the books look REALLY GOOD for the days they have unoccupied beds.
And isn't that what running a hospital should always be about? After all, the customers are just dying to get in.
Supply side economics, babyyyyyyyyyy.
This requires a substantial amount of work from the coding and development aspect, but it really is the only way to protect sensitive data delivered to the end users and stored in a central location," Fowler said.
Err. Isn't there a standard, reusable, off-the-shelf method for doing this? it's not as if these data stores are exactly unusual.
I have seen this in several apps and I believe the microservices mentality plays some part here.
It's trivial to set up a number of separate cloud data stores or APIs accessed through the same SPA, anonymously or with an API key, which encourages people to put all the business logic and permission checking in the front end (often with API keys hard-coded). I'm sure some naïve developers don't realise that even if your app has a login page, access to the underlying data store is not tied to the logged in user.
Designing a secure app is a lot more complicated than that and you'll have to either authenticate every data store and api using the user's credentials, or build a single authenticated API at the back end and funnel all your requests through that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
