Archer Health, a US-based in-home and palliative care provider, accidentally left around 145,000 patient files exposed online. The database had no password or encryption, allowing anyone who knew where to look to access sensitive information.
Cybersecurity researcher Jeremiah Fowler discovered the files and notified the company. The database contained roughly 23GB of data including PDFs, PNGs, and other documents. Patient details included names, social security numbers, addresses, phone numbers, and patient IDs.
It also contained medical records such as diagnoses, treatment plans, discharge documents, and care assessments. This made the breach particularly serious as it combined both personal and health data.
While there is no evidence that the data was shared on the dark web, the risk of exposure was high. The company moved quickly once alerted and secured the database.
Table of Contents
How the breach was discovered
The exposed database came to light after Fowler, a cybersecurity researcher, was scanning for unsecured systems. He found the database and immediately contacted Archer Health to prevent potential misuse.
The database was publicly accessible, meaning it could have been found by anyone with technical knowledge. It included multiple types of internal documents used by the company for patient care management. Fowler’s report allowed Archer Health to act fast.
The researcher highlighted that this kind of exposure is surprisingly common and often stems from human error or misconfigured cloud storage. While Archer Health’s response was prompt, the incident underscores the need for continuous monitoring of sensitive data online, especially in the healthcare sector.
What Archer Health does
If you are not aware, Archer Health provides in-home medical and palliative care. Their services include skilled nursing, therapy such as physical, speech, and occupational therapy, nutritional guidance, social work, home health aides, and wound care.
They also offer palliative care focusing on comfort, symptom relief, and chronic disease management. The company works in patients’ homes, providing care that would typically require hospital visits. With such sensitive operations, safeguarding patient data is critical.
The exposed database contained many documents that are essential for patient care but also highly personal. This breach highlights the balance healthcare providers must strike between operational efficiency and cybersecurity. Archer Health confirmed that protecting patient privacy is a top priority and they are investigating the breach fully.
How did Archer Health respond?
After being contacted, Archer Health immediately locked down the database. The company publicly thanked Fowler for his assistance. Archer Health stated that they take data security seriously and are actively reviewing security protocols to prevent future incidents.
Without forensic analysis, it is impossible to confirm if anyone accessed the data before it was secured. There is also no confirmation on how long the database was publicly accessible or if it was managed by a third-party vendor.
Experts say healthcare data breaches can have lasting effects on patients if sensitive information is stolen or misused. While no dark web leaks have been reported, this incident is a warning for other healthcare providers to audit and secure cloud-based and local databases regularly.