A California-based in-home health and palliative care provider, Archer Health Inc., left a large cache of medical and personal information publicly accessible after a database was found online without encryption or password protection, according to security researchers.
The exposure involved more than 145,000 files, totaling up to 23 gigabytes, and included patient assessments, home health certifications, care plans, discharge forms and internal communications. Some folders even carried patient names, while others were labeled with terms such as “faxed orders” and “referrals,” underscoring the sensitive nature of the data.
Documents revealed personal details such as names, Social Security numbers, addresses, phone numbers, patient ID numbers and medical information. The incident also included screenshots of healthcare management software dashboards showing scheduling details, provider information and patient records.
The breach was first identified by a cybersecurity researcher and reported to Website Planet, after which Archer Health restricted access within hours. The company said it takes patient privacy seriously and is investigating the issue.
It is unclear how long the database was exposed or whether unauthorized parties accessed the records before it was secured. Experts warn that such exposures create risks of identity theft, fraud and potential HIPAA violations, highlighting the ongoing vulnerability of healthcare data stored without proper authentication.
Legal risk could follow for Archer Health if regulators or plaintiffs alleged violations of privacy and data protection laws governing health information. The episode adds to a broader pattern of misconfigurations that expose sensitive healthcare data online.