{ "id": "283b2d68-787c-4be6-bcf0-4ef6263a42e8", "created_at": "2026-04-06T00:13:53.705955Z", "updated_at": "2026-04-10T03:36:01.605333Z", "deleted_at": null, "sha1_hash": "603943fe72cb40ca0c512dbc73b351bf3e03d66e", "title": "Doctor Alliance Investigating 353 GB Data Theft Claim", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 68693, "plain_text": "Doctor Alliance Investigating 353 GB Data Theft Claim\r\nBy Steve Alder\r\nPublished: 2025-11-17 · Archived: 2026-04-05 13:25:59 UTC\r\nPosted By on Nov 17, 2025\r\nDallas, TX-based Doctor Alliance, a HIPAA business associate that provides document management and billing\r\nservices to HIPAA-covered entities, is investigating a claim that a hacker exfiltrated 353 GB of data in a\r\nNovember cyberattack.\r\nOn or around November 7, 2025, a hacker using the moniker Kazu, added a post to an underground hacking forum\r\nclaiming to have stolen 1.24 million files from Doctor Alliance. The hacker has demanded a $200,000 ransom,\r\npayment of which is required to ensure that the stolen data is deleted. The hacker has threatened to sell the data if\r\nthe ransom is not paid.\r\nA 200 MB sample was added to the listing that was analyzed and found to contain what appears to be patient\r\nnames, addresses, phone numbers, email addresses, medical record numbers, Medicare numbers, diagnoses,\r\ntreatment information, medications, and provider information. According to the leak site, Doctor Alliance has until\r\nNovember 21, 2025, to pay the ransom.\r\nWhile the sample appears to include patient data, it has yet to be confirmed whether the data came from Doctor\r\nAlliance. It is possible that the data came from a previous data breach at an unrelated entity. Doctor Alliance has\r\nissued a statement confirming it is aware of the claim, has engaged cybersecurity experts to determine whether its\r\nnetwork was compromised, and is analyzing the data sample to determine if the claim is valid. Doctor Alliance\r\nhas confirmed that a single client account has been accessed by an unauthorized individual, and that immediate\r\naction was taken to contain the incident. The vulnerability that was exploited was remediated on the day of\r\ndiscovery, but Doctor Alliance has not confirmed if data was stolen in that incident.\r\nGet The FREE\r\nHIPAA Compliance Checklist\r\nImmediate Delivery of Checklist Link To Your Email Address\r\nPlease Enter Correct Email Address\r\nhttps://www.hipaajournal.com/doctor-alliance-data-breach-claim/\r\nPage 1 of 2\n\nYour Privacy Respected\r\nHIPAA Journal Privacy Policy\r\nIt is unclear whether Kazu is an individual or a member of a hacking group. The Kazu data leak site currently lists\r\nmore than 30 victims from spring 2025. Other victims on the leak site include government entities, the military,\r\nand other healthcare organizations. Kazu does not appear to have previously targeted entities in the United States,\r\nappearing to favor entities in South America, Asia, and the Middle East. The dark web data leak site includes\r\nvictims from Argentina, Bolivia, Colombia, Costa Rica, Iran, Mauritania, Mexico, Nepal, Saudi Arabia, Sri Lanka,\r\nThailand, and Venezuela. Doctor Alliance is currently the only listed U.S. victim.\r\nThe lack of confirmation of data theft has not prevented legal action from being taken. Multiple class action\r\nlawsuits have already been filed in the United States District Court for the Northern District of Texas, Dallas\r\nDivision, by individuals who claim to have been affected. One of those lawsuits was filed by Barbara Catabia,\r\nindividually and on behalf of similarly situated individuals. According to the lawsuit, “There is no question\r\nPlaintiff’s and Class Members’ Private Information is in the hands of cybercriminals who will continue to use the\r\nstolen Private Information for nefarious purposes for the rest of their lives.”\r\nThe lawsuit claims Doctor Alliance provides services to healthcare organizations such as Intrepid, AccentCare,\r\nInterim, and Prima Care. Prima Care is also named as a defendant in the lawsuit. The lawsuit asserts claims of\r\nnegligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and breach\r\nof third-party beneficiary contract. The lawsuit seeks class action certification, a jury trial, compensatory damages,\r\npunitive damages, nominal damages, restitution, injunctive and declaratory relief, reasonable attorneys’ fees and\r\ncosts, and other remedies deemed appropriate by the court.\r\nSource: https://www.hipaajournal.com/doctor-alliance-data-breach-claim/\r\nhttps://www.hipaajournal.com/doctor-alliance-data-breach-claim/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.hipaajournal.com/doctor-alliance-data-breach-claim/" ], "report_names": [ "doctor-alliance-data-breach-claim" ], "threat_actors": [ { "id": "d3a027b4-6a97-44c9-8caf-f3a62241ceba", "created_at": "2026-01-23T02:00:03.297223Z", "updated_at": "2026-04-10T02:00:03.935556Z", "deleted_at": null, "main_name": "Kazu", "aliases": [], "source_name": "MISPGALAXY:Kazu", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434433, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/603943fe72cb40ca0c512dbc73b351bf3e03d66e.pdf", "text": "https://archive.orkl.eu/603943fe72cb40ca0c512dbc73b351bf3e03d66e.txt", "img": "https://archive.orkl.eu/603943fe72cb40ca0c512dbc73b351bf3e03d66e.jpg" } }