A large cache of medical and personal information belonging to patients of Archer Health Inc. was left publicly accessible after a database was found online without encryption or password protection. Archer Health Inc., also known as Archer Home Health, is a California-based provider of in-home healthcare and palliative care services.
The exposure, first identified by cybersecurity researcher Jeremiah Fowler and reported to Website Planet, included highly sensitive files that could have put thousands of individuals at risk.
The database held more than 145,000 files, sized up to 23 gigabytes. Among the documents were patient assessments, home health certifications, care plans, discharge forms, and internal communications.
Many of these contained personal details such as names, Social Security numbers (SSN), addresses, phone numbers, patient ID numbers, and medical information. Some folders were even labelled with patient names, while others contained categories like “faxed orders” or “referrals,” further confirming the sensitive nature of the data.
The files also included screenshots of healthcare management software dashboards, showing scheduling details, provider information, and patient records. Such exposures can carry significant risks, including identity theft, fraud, and violations of medical privacy regulations like HIPAA.
Fowler reported the exposure directly to the company, and access to the database was restricted within hours. Archer Health acknowledged the notification, stating that it takes patient privacy seriously and that its team is investigating the issue.
It remains unclear how long the database was exposed or whether any unauthorised parties accessed the records before it was secured. However, incidents like this show the constant risks when healthcare data is stored without proper security authentication.
Possible Legal Consequences
While Archer Health acted quickly once informed, patients whose records were included in the exposure may face long-term consequences if their identifiers or medical histories were accessed by malicious threat actors or copied during the time the database was online.
Additionally, when a healthcare provider or related service fails to protect sensitive data, it may face serious legal exposure. In a related example, a misconfigured Amazon Web Services (AWS) bucket belonging to Florida-based IMDataCenter was publicly exposed, letting a hacker known as “ThinkingOne” download tens of gigabytes of records, including names, emails, addresses and even Social Security numbers.
In response, IMDataCenter is now the target of a lawsuit over the data leak. If Archer Health faces similar scrutiny, it could confront claims under privacy and data protection laws, especially laws governing health and personal information.
