Healthcare systems guard some of our most private and immutable data: medical histories, diagnoses, treatments, insurance claims, and personally identifiable information (PII). When those systems fail, the consequences go beyond mere embarrassment — they can threaten identities, finances, and patient trust. Below are some of the biggest known health-sector data disasters in recent years — and how the Archer Health breach aligns with this troubling trend.
Notable Health Data Breaches in Recent Years
UnitedHealth / Change Healthcare (2024 / 2025)
One of the largest healthcare breaches in U.S. history, the compromise of Change Healthcare (part of UnitedHealth’s tech arm) affected over 192 million individuals according to updated figures from the U.S. Department of Health and Human Services. Reuters
The scope of the hack was immense: patient diagnoses, billing details, Social Security numbers, treatment records, claims data — all potentially exposed. Reuters+1
The attackers, identifying themselves as the “Blackcat” ransomware group, gained access via stolen credentials used to exploit a Citrix portal without multifactor authentication. The Verge+1
Archer Health, Inc. (2025)
In September 2025, a security researcher identified an unencrypted, publicly accessible database tied to Archer Health (also known as Archer Home Health), a California-based provider of in-home and palliative care. breachsense.com+3TechRadar+3hackread.com+3
That database held approximately 145,596 files (PDFs, PNGs, image files) containing deeply sensitive medical and personal data — names, SSNs, patient IDs, home addresses, phone numbers, diagnoses, treatment plans, discharge documents, and internal dashboards. Potter Handy, LLP+4TechRadar+4hackread.com+4
Once notified, Archer Health restricted access within hours and acknowledged the disclosure. TechRadar+2Potter Handy, LLP+2
While the breach may not rival the scale of UnitedHealth in sheer numbers, it is alarming for several reasons:
- The data was completely unprotected (no password, no encryption)
- The documents included full medical details and internal systems information
- It underscores how smaller or specialized providers can be equally vulnerable
Other Historic Breaches Worth Knowing About
- Anthem (2015)
A classic example: hackers broke into Anthem Inc. servers and exposed data on tens of millions of customers. While medical data and financial details were implicated, the incident served as a wake-up call for the health insurance sector. Wikipedia - SingHealth (Singapore, 2018)
A breach in Singapore compromised the personal data of 1.5 million patients including names, national identity numbers, addresses, and prescribed outpatient medications. Wikipedia
Though medical diagnoses and doctors’ notes were spared in that attack, the incident remains one of the most high-profile in public health IT history in Southeast Asia. - Vastaamo (Finland, 2020 disclosure)
A mental health clinic’s patient records were stolen and later used in an extortion scheme. Sensitive psychotherapy notes, client names, and contact details ended up published or used to demand ransom payments from patients. Wikipedia - Waikato District Health Board (New Zealand, 2021)
A ransomware attack crippled IT systems across the board, exposing patient care data, staff information, and financial records. Wikipedia
What These Breaches Teach Us About the Stakes
Health Data Has Long-Term Value
Unlike credit card numbers or passwords, one cannot simply “reset” health records. Once personal health data is exposed, it may affect individuals indefinitely. That permanence makes such data a highly prized commodity on underground markets.
Smaller Providers Are Not Immune
Large-scale attacks (like UnitedHealth) make headlines, but incidents like Archer Health show that smaller organizations or niche home-care providers can still make for high-value targets — especially if protections are weak.
Misconfigurations & Oversights Are Common Attack Paths
Many major breaches don’t start with zero-day exploits — they begin with human or configuration errors: missing encryption, open access, weak permissions, or lack of multifactor authentication.
Multiplier Effects Across Ecosystems
Breaches in one system (e.g., claims processing, supplier networks, software platforms) often cascade into others. The MOVEit breach in 2023, for example, compromised data across industries, including many health organizations. Wikipedia
Regulatory and Legal Fallout
When health data is exposed, organizations must contend with regulatory investigations (e.g., under HIPAA in the U.S.), class action lawsuits, reputational harm, and the cost of remediation. A breach involving PHI (protected health information) often triggers mandatory notifications to affected patients and oversight from agencies like HHS.
Strengthening Defenses: What Must Change
- Encrypt All Data, Always
Whether at rest or in transit, encryption should be non-negotiable. An exposed file is far less dangerous if it is unreadable without the decryption key. - Use Strong Access Controls & Multi-Factor Authentication
Every system with patient data should require MFA and follow the principle of least privilege. - Audit and Monitor Continuously
Unusual access patterns, sudden bulk exports, or configuration changes should trigger alerts. - Eliminate Sensitive Information in File Names and Metadata
Patient names or identifiers should never live in folder names or file names, which may be logged or exposed. - Vendor and Third-Party Oversight
Many health IT systems are outsourced. Ensure contractors meet rigorous security standards and are audited regularly. - Staff Training & Phishing Defense
Many breaches begin with a phishing email. Regular training and phishing simulations can shore up this weakest link. - Assume Breach, Plan Response
Having an incident response plan and performing periodic drills ensures rapid containment when things go wrong.
The Archer Health Case as a Warning Signal
While the Archer Health breach may not have impacted the same number of people as the UnitedHealth / Change Healthcare breach, it underscores a critical truth: even without a dramatic ransomware attack or nation-state adversary, health data can be irreversibly compromised by basic security failures.
For patients, that means personal health and identity information is at risk. For providers, it means a test — not just of their technology, but of their commitment to security culture and oversight.
If there’s one takeaway, it’s this: in healthcare, data is life. That truth demands more than compliance — it demands vigilance.