'Uber for nurses' exposes 86K+ medical records, PII via open S3 bucket

111 comments

·March 13, 2025

ethagnawl

I'll need to dig up a source but I recently heard about this company and, apparently, before offering gigs they do a credit report to determine how much debt the person is carrying (i.e. how desperate they are) and they use that information to _round down_ the hourly rate they offer them.

In the unlikely event that there are any negative consequences for this breach, they deserve every bit of them and more.

linsomniac

I don't remember the source, but I believe I listened to a podcast on an "uber for nurses" (not sure if it was this place), but they do all sorts of nasty things that really shaft the nurses. ISTR that the nurses when they get called in, have to be running a phone app that tracks them, and if they get stuck in traffic or lose cell signal, they get demerits. They pretty much do anything they can to give the nurses a demerit, and demerits cause your pay to go down.

So they're pretty much taking the existing terrible nursing environment in healthcare, and weaponizing it. Nurses already have too many patients and not enough CNAs, on top of 12 hour shifts, needing to do charting after those 12 hours. Healthcare squeezes nurses to the breaking point. Data point: my wife is a nurse.

vincnetas

this is the presentation that discusses this wage suppression for nurses.

https://pluralistic.net/2025/02/26/ursula-franklin/

wewtyflakes

This is abhorrent if true; truly evil behavior.

Graziano_M

It's definitely shady, but it's par for the course. Uber charges you more if you have more gift cards loaded, or just spend more on average in general. You charge what the market will bear.

bqmjjx0kac

You charge what the market will bear, not the individual.

mrbungie

Pieces of shit. And then they assign you a score for each travel, as if you are really "carpooling" when in reality is a shitty taxi replacement (not that taxis are on a moral high ground, but the point still stands).

sudoshred

Game theory transcends basic humanity.

inetknght

You might be surprised to learn that they're not the only company to do so.

speed_spread

Names. We need names.

timewizard

It's amazing that, on a cursory look, only 11 states make this practice illegal. The "AI scriptown" is growing.

jmye

I’m interested, given the massive nursing shortages, why any nurses were using this service at all? Especially for higher levels, there’s no reason to mess with a shitty app that underpays you, when you should be able to walk into any provider’s office or facility and get hired almost immediately (and for Runs, you even have wide-ranging telehealth options).

hn_throwaway_99

This was my thought exactly. There is a giant nursing shortage. I know some nurses who are traveling nurses and they may bank, and they don't need any BS app. (Just want to emphasize, nursing is an incredibly difficult job at the moment, but there are also currently weird dynamics where traveling nurses can actually make a lot more than "stationary" nurses).

Thus, I'm led to believe that nurses using this app have to have some sort of difficulty finding jobs for other reasons, or they're just not informed about their options.

refurb

That seems like a terrible way to estimate nurse wages.

People have spouses.

People’s parents pay credit cards.

People with bad credit sometimes don’t care.

People have family money.

People with low debt can be desperate for work.

Does it even work?

DavidPeiffer

At scale, the corner cases don't really matter. In aggregate, if it's decently well correlated and readily available, it's probably going to be used.

I can't find it now, but I believe LexisNexis or another large similar reporting/data agency had a product catalog of dozens of products that spit out values for ability to pay, disposable income monthly, annual income, etc.

It makes you feel awful thinking about the direction things are headed. Corporations approaching omniscient regarding all facts of our lives that are reasonably of value to them.

jihadjihad

In the section of their Privacy Policy titled Data Security [0]:

> We use certain physical, managerial, and technical safeguards that are designed to improve the integrity and security of information that we collect and maintain. Please be aware that no security measures are perfect or impenetrable. We cannot and do not guarantee that information about you will not be accessed, viewed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. In particular, the Service is NOT designed to store or secure information that could be deemed to be Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

IANAL and all that, but I’m not sure you can use the excuse “We didn’t design our system to be HIPAA compliant, sorry,” and hope your liability disappears. Does anyone know?

0: https://eshyft.com/wp-content/uploads/2019/06/ESHYFT-Privacy...

weezin

HIPAA applies to patient data not providers data.

> I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.

It looks like providers accidentally uploaded some PHI.

IANAL so may be wrong, but I worked for a healthcare company. Whether HIPAA applies to them depends on if they are considered a covered entity or a business associate [0].

IMO they aren't bound to HIPAA requirements as a covered entity.

Business associate is a little tricky to determine. But business associates have to sign a BAA (Business Associate Agreement). And I doubt they would have signed one if they have that in their privacy policy.

Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant..

0: https://www.hhs.gov/hipaa/for-professionals/covered-entities...

hn_throwaway_99

> Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant.

You seem to imply using GMail is a bad thing? I think GMail, when appropriately configured to handle PHI, is probably a million times more secure than some crappy bespoke "enterprise" app.

weezin

It isn't that hard to setup a secure SFTP server to automate the exchange. But then again this is a post about configuring a S3 Bucket with public access for SSNs.

The issue with Gmail is sending to the wrong email, sending to a broad email list, having people download it to their local machines. And the amount of PHI being transmitted in these files is larger than this s3 bucket.

SkyPuncher

HIPAA only applies to a very specific entity called a "covered entity". At a high level, "covered entities" are health care providers that accept insurance or insurers. That's right, there's a massive caveat on "accepts insurance". You can be a healthcare provider and do not have to comply with HIPAA if you don't accept insurance.

That being said, HIPAA isn't even relevant here because "ESHYFT" is just a provider a labor. No different than a big consultant providing staff augmentation services.

hn_throwaway_99

> At a high level, "covered entities" are health care providers that accept insurance or insurers. That's right, there's a massive caveat on "accepts insurance". You can be a healthcare provider and do not have to comply with HIPAA if you don't accept insurance.

Again, HIPAA continues to be the most colloquially misunderstood law out there.

The rule that makes providers "covered entities" isn't really about insurance, it's about whether they transmit specific HIPAA "transactions" electronically. Now, yes, most of these transactions having to do with providers are thing like claim submissions or pre-authorizations to insurance. But there are other reasons a provider may need/want to send a HIPAA transaction electronically.

My point is that there isn't some sort of "loophole" where providers that don't accept insurance are somehow being sneaky. The whole point of the HIPAA security rule is to protect PHI when it is transferred around to different entities in the healthcare system. If the information is going just between you and your doctor, HIPAA isn't relevant, and that is by design.

hansvm

HIPAA doesn't care about your POS TOS. It either applies or does not.

That said, it's both less broad and more toothless than I'd like. If FB convinces you to install a tracking pixel (like button) stealing your private medical data, they likely haven't violated any laws. At most you'd be able to file a claim against the person who created the leak.

Not a lawyer and all that, but for TFA I don't think HIPAA would be a valid way to try to limit your losses. It's a bit closer to what would happen if you (a doctor) uploaded patient data to Google Drive and then somehow leaked that information (one of Google's contractors disclosing it, a hack, whatever). Nothing about ESHYFT's offerings requires or would be benefited by the data HIPAA protects, and (ignoring incompetence and other factors) I'd be as surprised to see my health data leaked there as I would to see a YT video going over my last lab reports because of some hospital's actions.

They could still be liable for all sorts of other damages (and maybe somebody can convince a court of a HIPAA violation), but it's not an easy HIPAA win.

tclancy

If you're not a direct health provider, you probably can. Don't take that as an endorsement.

skue

If you partner with a healthcare provider to provide any sort of technical services, you will be required to sign a BAA (Business Associates Agreement), which makes you similarly liable to the HIPAA & HITECH acts.

weezin

It depends there are some exceptions.[0]

>With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

Based on the context from the article of the PHI uploaded being incidental, it would probably fall under this exception. It sounds like ESHYFT isn't meant to be storing any PHI based on the privacy policy above.

0:https://www.hhs.gov/hipaa/for-professionals/privacy/guidance...

colechristensen

[Nevermind]

johann8384

The PII of the nurses being accidentally shared by a staffing agency isn't a HIPAA violation. Yes the nurses are providers but their relationship with the Uber for nurses service isn't a medical provider relationship. It's definitely a legal and ethical failing but I don't think it's a HIPAA one.

DistractionRect

This is what I took away from the reading. It's basically a shift/employee management platform. The only reason we're even discussing HIPAA is because health care industry adjacent.

If you replaced nurses with gig workers and uber for nurses with something like WeWork this would just be like every other leak we talk about on HN.

AlotOfReading

HIPAA avoidance is much narrower than that. Entities which perform administrative or managerial duties on behalf of a mandated organization that have to transmit PII to provide that service are also covered, even if the entity itself isn't a provider.

If 'Uber for nurses' is acting on behalf of nurses, it probably doesn't apply? If it's acting on behalf of the hospitals (who are indisputably covered entities), then the situation is much less clear.

I encountered a similar situation with my startup many years ago and decided "better safe than sorry" after consulting the lawyer.

skue

This 100%. This needs to be a top level comment.

colechristensen

Ah, doing more than skimming the article

>I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.

The title is exaggerating what the article says and the article is making a big stretch about this being possibly HIPAA covered, I stand corrected, this has nothing to do with HIPAA.

What was leaked was nurses' doctors notes submitted justifying calling out of work. Still a serious leak but nowhere near what is being suggested.

refulgentis

I'm confused because the article lays it out by the 4th paragraph, and you have the right understanding, up until "we're a startup"

Maybe you think the startup maintains patient records?

The article lays out the nurses uploaded them, the provider. This is a temp booking system. The health records were uploaded by the nurses to communicate reasons for absences to their employee and weren't required or requested

They have as much responsibility as Dropbox does. Nurses shouldn't have uploaded them.

jppope

Worth mentioning, because the authority level of medical practitioners throws people off. Don't ever give a doctor or practice your Social Security Number. They don't need it. Similarly if they want to check an ID that doesn't mean scan or photograph. Doctors, practices, etc are the worst at infosec. They have no training, basically no penalties if they do something wrong and all of that info is only to follow up in case you don't pay your bill.

thfuran

In the US, HIPAA is pretty much the strongest privacy legislation there is. There's probably no group that would have a more severe penalty for leaking your info than your healthcare provider.

jandrese

HIPAA has strict rules with severe penalties, but enforcement is at best spotty. So honest hospitals and doctors offices bend over backwards to comply with the rules at great expense, but bad actors are rarely punished. It's the worst of both worlds. I'm pretty sure that is why the punishments are so harsh, because they need to put the fear of god into practitioners to make them take it seriously since there are so few inspectors.

timewizard

It's the difference in medical establishment skill level between your doctor and you. You are always at a disadvantage. I've long thought that a disinterested third party needs to be involved. Someone with real oversight taking a position adversarial to the hospital and strictly to create the best possible outcome for the patient.

The Hippocratic model isn't awesome.

scarmig

Perhaps true, but the strongest privacy protections in the US are still pretty weak. The biggest penalty I know of is Anthem 2018, where they leaked HIPAA-qualifying records on 80 million customers. Their financial penalty was a whopping... $16 million. Two dimes per affected customer!

thfuran

It's true that the US rarely penalizes corporations enough to really disincentivize things, but healthcare providers probably take client data security more seriously than just about any other group besides maybe law firms. It's weird to single them out as being particularly unconcerned with and unpenalized for leaks.

eclipticplane

HIPAA was designed for portability -- the 'p' standards for portability not privacy -- of health info, so there are immense carve outs in service of that objective. Fines for violating HIPAA are almost non-existent.

HIPAA is wildly misunderstood by the public as a strong safeguard, meanwhile medical offices just get any patient (a captive audience) to sign a release waiver as part of patient intake ...

slt2021

PCI-DSS is the strongest, HIPAA is just a rubber stamp

thfuran

That's not actually law at all. It's part of the contract with payment processors.

paulcole

How many healthcare providers do you know personally who have faced severe penalties for leaking information?

The reality is that for a small doctor/dental/whatever office, there is essentially 0 risk. HIPAA violations that carry significant penalties go to huge hospitals and healthcare companies.

Your neighborhood doctor has to screw up in a major way for an extended period of time to have a minute risk of any consequence.

jmye

How much information do you think your neighborhood PCP is “leaking” compared to, say, Elevance? This is such a goofy take. Are you expecting that every small provider group is just firing your data off on Facebook every Tuesday, and somehow, no one cares? They’re all using certified EMRs. They all take security seriously because their licenses are literally on the line. Do you work in healthcare?

If they provably expose your data, and you report them, they will get fined. Or they would have last year, who knows if those people still have jobs.

SR2Z

And yet the data still seems to leak pretty frequently...

andrewmcwatters

Only the young and inexperienced believe the law is enforced when it matters.

colechristensen

Eh.

Last year the total HIPAA violations fines were less than $9.2 million.

A figure I could find for hospital revenue in the same year which is a good enough proxy for fines vs revenue is about $1.2 trillion.

Which rounding because who cares comes to 0.001% of medical revenue ends up being paid for HIPAA violation fines.

Or the equivalent ratio of about a cup of coffee for a typical enough person per year.

HIPAA needs teeth, what it says you're supposed to do is quite strong, the enforcement of it is pathetic.

supertrope

What do you do if they refuse to book an appointment without it?

mayneack

I've never had that happen (sample size ~5). They accept non-citizen patients, so they probably don't make SSN a required field.

(for SSN, never tried to prevent scanning of my ID)

jppope

You can just use my SSN: 123-45-6789.

x3n0ph3n3

Find a new provider. I have gone 2 decades without providing my SSN to doctors.

edoceo

New provider is unrealistic for many in USA. In NYC, maybe easy; in rural WI/KS much less so.

sieabahlpark

[dead]

mhitza

I wonder how old the S3 bucket was, because at some point AWS made new S3 buckets private by default.

Which means it's either old, or they recklessly opened it up because they couldn't get files uploaded/downloaded to the bucket from their mobile app/services.

bpodgursky

Also possible a webdev opened it up so they could use the assets on a website, and didn't think about other private data in the bucket.

999900000999

Are y'all gonna blame AWS like you blamed Firebase last week ?

The security procedures I take while hacking out something for my friends at 3am should not extend to products hosting PII. It's up to YOU to implement basic data security.

onion2k

It's up to YOU to implement basic data security.

You definitely need to do this, but a platform should help where possible, and try to have users fall into a 'pit of success' where if a dev just goes with the defaults everything is fine. In this case, S3 buckets should be private and encrypted by default and devs should need to actively choose to switch those things off (which I think may be the case now, but it wasn't in the past.)

gtirloni

Why "Uber for nurses" and not the actual company name in the title?

nick__m

According to the article the name is ESHYFT. It sounds like a brand of electronic found on aliexpress but with less quality!

ks2048

Please invest in my startup, ENSHITIFY

Mistletoe

It lets me know the company is bullshit in a way the company name never would.

RobotToaster

Why does this keep happening? It seems like every month there's a new leak from an open S3 bucket?

dmix

New companies with immature systems, old companies hiring young developers doing side stuff off in their own world, bad default configurations etc

Most importantly there's a large amount of highly incentivized people probing constantly at mass scale. These days it's very easy to scan the internet (github, IPs, domains, etc) for information and "bad S3 configuration" detection is just a script anyone can use. No advanced programming skills required.

dikaio

Would be surprised if this company makes it out of this. Medical records…. Yikes

xyst

A company of this size definitely wouldn’t be able to tank a multimillion dollar lawsuit.

tmpz22

Are we pretending that there are still functional regulatory agencies that are able to take action over this?

albert_e

The linked article does not mention Amazon S3 or AWS

Is there a different source for the "open S3 bucket" in HN title?

marcus0x62

Move fast and violate HIPAA.

xattt

Does HIPAA apply to HR into, or just patient health data?

kryogen1c

HR likely deals with health info related to disability or fmla claims, or work-related injuries that is shared with health care providers and/or insurance companies; this makes them a covered entity subject to the requirements under hipaa.

ahstilde

Protected health information (PHI) under U.S. law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

source: i run Wyndly (YC W21 https://www.wyndly.com), which is most easily understood as a telehealth allergist online.

nradov

Sure, that's the definition of PHI but is ESHYFT a HIPAA covered entity? If not then the definition of PHI isn't legally relevant (although they still have an ethical requirement to secure employee data, and might have violated other data protection laws).

https://www.hhs.gov/hipaa/for-professionals/covered-entities...

SkyPuncher

Yes, but you're missing a massive caveat that is conditional on the definition of "covered entity".

Covered Entity has a narrow meaning. Notably, if you don't accept insurance, it's very unlikely you're a covered entity.

thfuran

It considers non-health-specific identifying info about patients that might be stored with the health-specific info to also be PHI.

bigfatfrock

Sorry for the dude that built their infra and was really tired and then woke up to this, what a bummer.