Tens of thousands of employee records from Stanford Health Care (SHC) and Hillsboro Medical Center (HMC) were exposed after contractor Perfectshift failed to secure its MongoDB database. The vulnerability was discovered by Cybernews researchers who alerted the company in August, but the database remained exposed until late October.
In August 2025, Cybernews Research discovered an unsecured MongoDB database belonging to Perfectshift, a healthcare shift management service. It contained sensitive employee and contractor data from two healthcare facilities: Stanford Health Care, affiliated with Stanford Medical School, and Hillsboro Medical Center in Oregon.
The database included over 50,000 records, including:
employee full names,
corporate email addresses,
hashed passwords (bcrypt, cost 10),
IP addresses,
cookie sessions,
authorization tokens,
as well as payment data and browser information.
The data was not encrypted or authenticated. Researchers alerted Perfectshift on August 21, CERT on September 3, and the leak was closed only on October 30.
Experts warn that the disclosure of tokens and sessions could lead to the compromise of employee accounts, as well as further attacks such as phishing and credential stuffing. Attackers could use the access for lateral movement on the network or resell the access to ransomware groups.
Fortunately, no medical data or PHI (Protected Health Information) was found in the database, but even work accounts pose a potential threat to healthcare systems, which remain vulnerable to disruptions and attacks.
Perfectshift is a third-party IT services provider for human resource management in the healthcare sector. Such companies often operate with large amounts of unstructured data using MongoDB, which makes them a potential target for attacks.
The main problem, analysts say, is the human factor: databases often remain unprotected due to lack of authentication or configuration errors. Such a case is another reminder that even in an industry with the highest confidentiality requirements (like medicine), the protection of contractor data can be a weak link.
The Perfectshift leak highlights the critical importance of controlling access to databases and checking the cyber hygiene of third-party providers. Even in the absence of patient data, information about healthcare workers can become a tool for social engineering and intrusions into corporate networks. For organizations like Stanford Health Care, this is another reminder: a secure ecosystem starts with the smallest node.
