Names, payroll data, hashed passwords, and thousands of other sensitive records belonging to Stanford Health Care’s staff were exposed after a third-party contractor, Perfectshift, left an unprotected database accessible to the public.
The Cybernews research team discovered the leak in late August, after noticing an unprotected MongoDB database hosted by Perfectshift, a healthcare workforce management services provider.
According to our team, the exposed database included employee and contractor account details for Stanford Health Care (SHC) and Hillsboro Medical Center (HMC). SHC is a prestigious hospital system affiliated with the Stanford University School of Medicine. HMC is a medical care facility located in Oregon.
Many businesses utilize MongoDB to handle large swaths of unstructured data. However, Perfectshift appears to be plagued by a common issue: databases are left unprotected without authentication, often due to human error.
“While it appeared that the data was imported to the database from encrypted sources, the data in the database was not encrypted or access-controlled,” our team explained.
The team responsibly disclosed the issue to Perfectshift in August. The company closed the exposed database in late October. We have reached out to Perfectshift for comment and will update the article once we receive an official reply.
What data was involved in the leak?
The exposed dataset contained over 50,000 records, which our team attributed to SHC and HMC. The database included information that corresponded to what a workforce management service provider would need, including:
- Payroll data
- Full names
- Work email addresses
- Hashed passwords
- Browser agents
- IP addresses
- Session cookies
- Authorization tokens
In theory, the data could become a gold mine for malicious actors. For one, exposed individuals are at increased risk of targeted phishing campaigns and social engineering attacks.
Threat actors are often drawn to targeting medical institutions due to the wealth of data they contain. Later, they can use it to exploit staff for scams and attempt to infiltrate medical systems, which are among the most sensitive to cyberattacks and downtime.
“Employee accounts were at risk of takeovers, as it is possible to ‘dehash’ hashed passwords or hijack active sessions thanks to leaked internal authentication tokens,” our team explained.
The mix of authentication credentials and session data could enable persistent attackers to gain unauthorized access and use it for lateral movement within the network. That’s a prized possession among initial access brokers, who later sell it to ransomware gangs and other, often financially motivated attackers.
“Leaked passwords were hashed with bcrypt (cost 10), making it a significant challenge to try and guess the leaked passwords; likely only very motivated threat actors would try to 'crack' these passwords for potential future attacks,” the team explained.
The one silver lining is that researchers did not notice any patient data, or Protected Health Information (PHI), in the exposed dataset.
“The data leak highlights how vulnerable medical software can be. While there’s not too much to gain from hijacking employee accounts for these platforms, the leaked passwords, if dehashed, could lead to credential stuffing attacks,” the team said.
Next steps
- The database is sensitive and should not be publicly accessible, as it contains PII and financial data of Stanford and Hillsboro Medical Centers’ employees
- The owner should ensure that the database is no longer publicly accessible by enabling built-in authentication and authorisation features, employing IP whitelisting
- Leaked credentials should be reset, and affected individuals and organizations informed
- Leak discovered: August 19th, 2025
- Initial disclosure: August 21st, 2025
- CERT contacted: September 3rd, 2025
- Leak closed: October 30th, 2025
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked