Security Researcher Identifies Exposed 150,000-record Home Health Care Database
Cybersecurity researcher Jeremiah Fowler has found an exposed 23.7 GB database containing more than 145,000 files, such as PDFs, PNGs, and other image files. The database has been linked to the California home health and palliative care provider, Archer Health. Fowler analyzed a sample of the files and identified patient names, contact information, Social Security numbers, and patient ID numbers. The files included medical documents such as discharge summaries, which included health information such as conditions, diagnoses, admission and discharge dates, treatment information, care plan information, as well as assessments and home health certifications.
Many of the image files were screenshots of healthcare management software that showed active dashboards, logging, tracking, and scheduling details. Some of the folder names included patients’ first and last names – a bad security practice. As Fowler pointed out, personally identifiable information such as patient names can easily be exposed through error or monitoring logs. Fowler was able to link the database to Archer Health and notified the company about the exposed database, which was secured within hours and is no longer accessible. Archer Health thanked Fowler for bringing the matter to their attention and confirmed that an investigation had been launched, and any security issues that led to the exposure would be addressed.
It was not possible to tell how long the database was exposed, if it was accessed or copied by any unauthorized individuals, or whether the database was maintained by Archer Health or one of its vendors. Since only a sample of files was analyzed, it is unclear how many patients had their data exposed.
Update December 2025: Archer Health has reported the data breach to the HHS Office for Civil Rights as involving the protected health information of 4,285 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mailing Error Impacts More Than 3,100 Arizonans
The Arizona Health Care Cost Containment System (AHCCCS), Arizona’s Medicaid agency, has notified 3,177 members about an impermissible disclosure of a limited amount of protected health information. On August 29, 2025, a mailing error was identified with a routine mailing regarding members’ health plan enrollment when a member called AHCCCS after receiving a misdirected letter.
The mailing was immediately halted, and an investigation was launched to determine the cause of the error, the individuals affected, and the information involved. The letters did not include any highly sensitive information, such as Social Security numbers, only a member’s name, AHCCCS identification number, and health plan name. In each case, the letters were sent to one incorrect recipient. HCCCS said it has conducted a review of its mailing processes and procedures and has taken steps to prevent similar mis-mailings in the future.
