- Archer Health exposed 145,000 sensitive files through an unprotected, publicly accessible database
- Leaked data included names, SSNs, diagnoses, and other personal and medical information
- Database was secured after researcher’s tip; no evidence of dark web distribution yet
Archer Health, a US-based in-home and palliative care service provider, kept an unprotected database available on the wider internet, leaking sensitive personal and health data to anyone who knew where to look, experts have warned.
Cybersecurity researcher Jeremiah Fowler flagged the finding to WebsitePlanet after finding the database and helping it get locked down.
Fowler found an unencrypted, non-password-protected database containing roughly 145,000 files, including PDF, PNG, and other files, and held documents such as various assessments, home health certifications, plan of care documents, discharge forms, and other internal documents.
Locking the database down
Overall, these files, which and measured in at 23GB, also contained people’s names, patient ID numbers, SSNs, postal addresses, phone numbers, and other personally identifiable information (PII). Other documents contained diagnoses, treatments, and other potentially sensitive healthcare data.
Archer Health, also known as Archer Home Health/Home Health & Palliative Care) is a provider of in-home medical services. The company offers skilled nursing, therapy (physical, speech, occupational), nutritional guidance, medical social work, home health aides, wound care, and more., delivered in the patient’s home.
They also provide palliative care, focusing on symptom relief, disease management, comfort, and support for patients with serious or chronic illness.
Soon after Fowler reached out, the company locked the database down, and thanked the researcher for the tip.
“Thank you for bringing this to our attention,” Archer Health told Fowler. “We take data security and patient privacy very seriously. Our team is actively investigating this matter and will address any security issues promptly.”
Without proper forensic analysis, it is impossible to say if someone accessed the database before Fowler found it. There is no evidence that this database was leaked anywhere on the dark web. Furthermore, we don’t know for how long the archive remained open, or who managed it (Archer Health or a third party).
