Archer Health was leaking protected health information. Criminals appear to have found it.

In a disturbing revelation, researchers at Website Planet recently uncovered a misconfigured bucket on the website of Archer Health, an in-home healthcare provider, that exposed sensitive patient data. The leak, which was first reported by Jeremiah Fowler, contained approximately 145k files (totaling 23 GB) that were unencrypted and non-password-protected.

According to Fowler's report, the exposed files included names, patient ID numbers, Social Security numbers, physical addresses, phone numbers, and other potentially sensitive health-related data. Additionally, documents marked as assessments, home health certifications, plan of care documents, and discharge forms contained Protected Individual Information (PII) and Protected Health Information (PHI). The leaked data also included screenshots from a healthcare management software that showed active dashboards, logging, tracking, and scheduling details that included PII of patients and providers.

Some folders' names even contained the first and last names of patients, while others used generic terms such as "faxed orders," "merged pdfs," "received faxes," "referrals," and more. The data appeared to originate from Archer Home Health, also known as Archer Health, but Fowler was unsure who managed the data.

Fowler sent a responsible disclosure alert to Archer Health on September 4, just days after discovering the leak in August at the end of. Archer responded within less than 24 hours, which is impressive considering the severity of the situation.

However, not everyone was as quick to respond. Just seven days later, on September 7, KillSec3, a notorious group known for exploiting exposed files and trying to extort entities, added Archer Health to their dark web leak site. According to Fowler, KillSec3 then leaked what they claimed was 8 GB of files that they had exfiltrated from the Archer Health database.

DataBreaches has previously exposed KillSec3 as a group that relies on grayhatwarfare sources to find exposed files and uses them to extort entities. In our sample, we found that 39 out of KillSec's 68 victims had previous leaks of the same or almost identical data, while 36 out of their 44 currently active posts are linked to publicly exposed data.

In some cases, the leaks had gone on for years. Of five leaks that were first detected by researchers in 2019 and 2020, one was secured after KillSec claimed an attack on them; the other four remain unsecured to this day. In other cases, leaks had first been noted by researchers months before KillSec added them to their leak site.

It is unclear whether Fowler and KillSec3 both found the same exposed data or not. However, DataBreaches reached out to KillSec3 to ask when they acquired the Archer data and how they gained access to it. They responded with a dismissive tone, stating that they were too lazy to ask their affiliate about this and didn't care.

DataBreaches also emailed Archer Health to inquire about several aspects of the incident, including when the data were first exposed, whether they were aware that KillSec3 had allegedly acquired and dumped 8 GB of their data. DataBreaches also asked if Archer has notified HHS (Health and Human Services) and patients, as well as what actions the company is taking in response to this incident.

As of our knowledge cutoff, we have not received a response from Archer Health regarding these questions. The lack of transparency from the company is concerning, especially given the severity of the situation.