Archer Health leaks data of patients, exposes almost 150,000 Records
Learn More
Archer Health, Inc., a California-based healthcare provider specializing in skilled in-home nursing and palliative care services, was found to be leaking patient data.
The leak was discovered by cybersecurity researcher Jeremiah Fowler on September 25, 2025.
The cause of this data leak was a misconfigured database that was exposed on the internet without any security measures including password protection and encryption. The database exposed approximately 145,596 files totaling 23 GB of sensitive patient health information and internal company documents. Exposed data includes:
- Names and patient identification numbers
- Social Security Numbers (SSNs)
- Physical addresses and phone numbers
- Diagnoses and treatment information
- Medical assessments and health certifications
- Plan of care documents and discharge forms
- Health insurance information and billing details
- Internal screenshots from healthcare management software showing active dashboards, logging, tracking, and scheduling details
The breach was compounded by a separate ransomware attack conducted by the threat actor group "KillSec" that targeted Archer Health around the same time period in early September 2025.
The number of affected individuals is not disclosed. Patients typically have multiple documents in their healthcare records, meaning the actual number of affected individuals could be significantly lower than the total number of files.
After the responsible disclosure notice from Fowler, Archer Health restricted public access to the database within hours. The company acknowledged the security incident, stating through their representative: "Thank you for bringing this to our attention. We take data security and patient privacy very seriously. Our team is actively investigating this matter and will address any security issues promptly."
It's not clear whether the database was owned and managed directly by Archer Health or by a third-party contractor, and the duration of the exposure prior to discovery has not been established.
