A database in the healthcare industry was exposed, as discovered by Cybersecurity Researcher Jeremiah Fowler. Records found in the database indicate the information belongs to Archer Health, Inc., also known as Archer Home Health, though it is unknown if the database itself was owned and operated by the organization or by another party. Upon sending a responsible disclosure notice, Fowler received the following response: “Thank you for bringing this to our attention. We take data security and patient privacy very seriously. Our team is actively investigating this matter and will address any security issues promptly.”

The database was publicly exposed, with no password protection or encryption. There were approximately 145,596 files in a variety of formats, such as PDFs and PNGs. The documents included home health certifications, plan of care documents, assessments, discharge forms, and medical documents. These medical documents contained: 

• Names,
• ID numbers of patients
• Physical addresses
• Phone numbers
• Social Security numbers 

“Health data is unique because it stays with individuals forever, whereas banking or credit information can be changed,” the research states. “Criminals also value this information because it could potentially enable a wide range of fraudulent activities, including extortion, identity theft, prescription fraud, false medical billing, and even the creation of synthetic identities that may go undetected for years. On the black market, health records are often sold at a higher price than financial data because they contain comprehensive personal and health profiles of individuals.”

It is currently unknown how long this database was exposed, or if a threat actor gained access to it.