Nearly 150,000 patient records exposed in major healthcare data breach - here's what we know

News
By published

Archer Health kept an unprotected database on the internet

A person in a medical practice typing on a laptop.
(Image credit: Pixabay)
  • Archer Health exposed 145,000 sensitive files through an unprotected, publicly accessible database
  • Leaked data included names, SSNs, diagnoses, and other personal and medical information
  • Database was secured after researcher’s tip; no evidence of dark web distribution yet

Archer Health, a US-based in-home and palliative care service provider, kept an unprotected database available on the wider internet, leaking sensitive personal and health data to anyone who knew where to look, experts have warned.

Cybersecurity researcher Jeremiah Fowler flagged the finding to WebsitePlanet after finding the database and helping it get locked down.

Fowler found an unencrypted, non-password-protected database containing roughly 145,000 files, including PDF, PNG, and other files, and held documents such as various assessments, home health certifications, plan of care documents, discharge forms, and other internal documents.

Locking the database down

Overall, these files, which and measured in at 23GB, also contained people’s names, patient ID numbers, SSNs, postal addresses, phone numbers, and other personally identifiable information (PII). Other documents contained diagnoses, treatments, and other potentially sensitive healthcare data.

Archer Health, also known as Archer Home Health/Home Health & Palliative Care) is a provider of in-home medical services. The company offers skilled nursing, therapy (physical, speech, occupational), nutritional guidance, medical social work, home health aides, wound care, and more., delivered in the patient's home.

They also provide palliative care, focusing on symptom relief, disease management, comfort, and support for patients with serious or chronic illness.

Soon after Fowler reached out, the company locked the database down, and thanked the researcher for the tip.

“Thank you for bringing this to our attention,” Archer Health told Fowler. “We take data security and patient privacy very seriously. Our team is actively investigating this matter and will address any security issues promptly.”

Without proper forensic analysis, it is impossible to say if someone accessed the database before Fowler found it. There is no evidence that this database was leaked anywhere on the dark web. Furthermore, we don’t know for how long the archive remained open, or who managed it (Archer Health or a third party).

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.