From our “No Need to Hack When It’s Leaking” files, a report involving Archer Health, an in-home healthcare provider.
Website Planet recently reported a misconfigured bucket that was found by researcher Jeremiah Fowler. The unencrypted and non-password-protected database reportedly contained approximately 145k files (totaling 23 GB).
“In a limited sampling of the exposed files, I saw medical documents that contained names, patient ID numbers, SSNs, physical addresses, phone numbers, and more,” Fowler wrote. “Additionally, there were documents marked as assessments, home health certifications, plan of care documents, and discharge forms that contained PII and PHI, as well as additional details such as diagnoses, treatments, and other potentially sensitive health-related data that should not be publicly exposed.” Later in the report, he added, “In this case, the database included numerous screenshots from a healthcare management software that showed active dashboards, logging, tracking, and scheduling details that included PII of patients and providers. The folders themselves indicated details of the data they contained. Some folders’ names contained the first and last names of patients; others used names such as “faxed orders”, “merged pdfs”, “received faxes”, “referrals”, “screenshots”, and more.”
The data appeared to come from Archer Home Health, aka Archer Health, but Fowler could not be sure who managed the data and so sent a responsible disclosure alert to Archer Health. Although it is not reported in the published report, Fowler tells DataBreaches that he discovered the leak at the end of August, but first reviewed it on September 1 and 2. The notification to Archer was sent on September 4, and Archer responded less than 24 hours later.
The timeline was of note because although Fowler wrote that he was not aware whether anyone else had accessed the data, on September 7, KillSec3 had added Archer Health to their darkweb leak site. On September 8, they leaked what they claimed was 8 GB of files that they had exfiltrated.
Long-time readers may recall that in December 2024, DataBreaches and JayeLTee had exposed KillSec3 as a group that simply used sources like grayhatwarfare to find exposed files that they then downloaded and used to try to extort entities:
For the time period we sampled, we found that 39 out of KillSec’s 68 victims had previous leaks of the same or almost identical data, and 36 out of their 44 currently active posts are linked to publicly exposed data.
In some cases, the leaks had gone on for years. Of five leaks that were first detected by researchers in 2019 and 2020, one was secured after KillSec claimed an attack on them; the other four remain unsecured to this day. In other cases, leaks had first been noted by researchers months before KillSec added them to their leak site.
DataBreaches does not know whether Fowler and KillSec3 both found the same exposed data or not. But DataBreaches reached out to KillSec3 to ask them when they had acquired the Archer data and whether they had found the leak on grayhatwarfare or if they gained access a different way. They answered, “im too lazy to ask affiliate about this + i dont care.”
DataBreaches emailed Archer to ask a number of questions, including when the data were first exposed and whether they were aware that KillSec3 had allegedly acquired — and dumped — 8 GB of their data. DataBreaches also inquired whether Archer has notified HHS and patients, and what Archer is doing in response to this incident.
No reply has been received by publication.
Updated September 28: There has still been no reply from Archer, but this site was finally able to complete downloading the data tranche leaked by KillSec3. The two parts contained a lot of duplicates. After de-duplicating, it appeared that there were almost 4 GB of data consisting of 16,743 files with protected health information.
Updated September 30: After examining the de-duplicated records, it appears clear that these are almost all files with protected health information of patients, although all may not be readable. The most recent date stamps on the files was August 20, 2025.