Full Report
From our “No Need to Hack When It’s Leaking” files, a report involving Archer Health, an in-home healthcare provider. Website Planet recently reported a misconfigured bucket that was found by researcher Jeremiah Fowler. The unencrypted and non-password-protected database reportedly contained approximately 145k files (totaling 23 GB). “In a limited sampling of the exposed files, I... Source
Analysis Summary
# Incident Report: Archer Health PHI Misconfiguration Leak and Extortion Attempt
## Executive Summary
Archer Health, an in-home healthcare provider, suffered a significant data exposure due to a misconfigured, unencrypted, and publicly accessible database bucket containing approximately 145,000 files (23 GB) of Protected Health Information (PHI) and Personally Identifiable Information (PII). The exposure was discovered by a security researcher in late August 2025, leading to notification and subsequent exploitation by the threat actor KillSec3, who exfiltrated and publicly posted a subset of the data in an apparent extortion attempt.
## Incident Details
- **Discovery Date:** Late August 2025 (by security researcher Jeremiah Fowler)
- **Incident Date:** Data actively being exposed prior to late August 2025; KillSec3 initiated public posting on September 7, 2025.
- **Affected Organization:** Archer Health (Archer Home Health)
- **Sector:** Healthcare (In-home healthcare provider)
- **Geography:** Not explicitly disclosed, but operations relate to US healthcare compliance (PHI/HHS mention).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to late August 2025
- **Vector:** Cloud Misconfiguration (Leaking data bucket/storage)
- **Details:** An unencrypted and non-password-protected database bucket was accessible publicly, exposing sensitive patient and provider data.
### Lateral Movement
- Not applicable. This was a direct exposure/download incident, not a network intrusion involving malware or credential compromise leading to internal lateral movement, based on the provided context.
### Data Exfiltration/Impact
- **Date/Time:** Discovered September 1/2, 2025 (by researcher). Notification sent September 4, 2025.
- **Details:** Security researcher confirmed the exposure of PHI/PII. On September 7, 2025, threat actor KillSec3 claimed to have exfiltrated 8 GB of files and began posting them to their dark web leak site on September 8, 2025.
### Detection & Response
- **Detection:** Discovered by researcher Jeremiah Fowler (late August 2025).
- **Response:** Responsible disclosure notification sent to Archer Health on September 4, 2025. Archer responded in under 24 hours (implying acknowledgment). The researcher monitored the situation, noting KillSec3's posting on September 7. Archer's compliance/notification status regarding HHS and patients remains unknown at the time of reporting.
## Attack Methodology
- **Initial Access:** Cloud Storage Misconfiguration (Likely insecure S3 bucket or similar cloud storage).
- **Persistence:** Not applicable (Direct data access/download).
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Data was publicly exposed, requiring no evasion techniques against active security controls.
- **Credential Access:** Not applicable.
- **Discovery:** Data was organized into folders named after patients and actions (e.g., "faxed orders," "referrals").
- **Lateral Movement:** Not applicable.
- **Collection:** Threat actor KillSec3 downloaded and exfiltrated a subset of the publicly exposed files.
- **Exfiltration:** KillSec3 boasted of exfiltrating 8 GB, later posting a de-duplicated 4 GB tranche of PHI.
- **Impact:** Unauthorized exposure and public release/extortion using sensitive PHI/PII.
## Impact Assessment
- **Financial:** Unknown, but likely includes investigation, remediation costs, and potential regulatory fines (HHS).
- **Data Breach:** Approximately 145,000 files (23 GB) exposed, containing PHI (diagnoses, treatments) and PII (names, SSNs, addresses, patient IDs). KillSec3 leaked ~4 GB of usable PHI.
- **Operational:** Not detailed, but system access to this data suggests exposure of healthcare management software screenshots detailing operations.
- **Reputational:** Significant, as the incident involves widespread exposure of sensitive patient records and an alleged extortion attempt by a known actor utilizing data previously found in public leaks.
## Indicators of Compromise
*Note: As this was a misconfiguration, IOCs relate to the published data rather than active malware.*
- **Network indicators:** Malicious actor (KillSec3) using infrastructure associated with data dumping/extortion sites (specific domains excluded per instruction).
- **File indicators:** File names referencing patient initials/names, diagnostic reports, assessments, and "screenshots" of management software dashboards. Most recent timestamp found: August 20, 2025.
- **Behavioral indicators:** Postings on known dark web leak forums associated with extortion attempts leveraging exposed cloud data.
## Response Actions
- **Containment measures:** Researcher notified the organization (Responsible Disclosure on Sept 4). The organization likely took the storage bucket offline after acknowledgment, though this is inferred.
- **Eradication steps:** Required comprehensive audit and remediation of all cloud storage configurations to eliminate public access.
- **Recovery actions:** Not detailed, but must include patient notification, credit monitoring services, and mandatory HHS breach reporting procedures.
## Lessons Learned
- The critical failure was the lack of access control/encryption on cloud storage containing PHI/PII (misconfiguration).
- Misconfigured cloud resources pose an immediate and active threat, as threat actors (or researchers) can download data before internal teams are aware.
- The presence of known data extortion groups like KillSec3 indicates that exposed data is quickly weaponized for profit, even if the initial access was passive.
## Recommendations
- Implement immediate, organization-wide audit of all cloud storage buckets (AWS S3, Azure Blob, etc.) to ensure explicit deny-by-default policies are enforced for sensitive data.
- Mandate encryption at rest and in transit for all data repositories containing PHI/PII.
- Utilize automated data loss prevention (DLP) or cloud security posture management (CSPM) tools to alert on buckets exhibiting public read access containing sensitive data types.
- Establish a defined process for rapidly triangulating and remediating data exposure following researcher reports.