{
	"id": "622b9564-88b5-47ea-92e7-be71e044ce87",
	"created_at": "2026-04-11T02:23:36.193607Z",
	"updated_at": "2026-04-11T02:24:15.508786Z",
	"deleted_at": null,
	"sha1_hash": "6f0e61ca938067ee2a79c7b4fcfafc99731763fa",
	"title": "From bad to worse: Doctor Alliance hacked again by same threat actor (2) - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 490803,
	"plain_text": "From bad to worse: Doctor Alliance hacked again by same threat\r\nactor (2) - DataBreaches.Net\r\nPublished: 2025-11-18 · Archived: 2026-04-11 02:06:31 UTC\r\nOn November 12, DataBreaches reported that Doctor Alliance had allegedly been hacked by a threat actor who\r\nlisted the data for sale on a clearnet forum. At the time, “Kazu” claimed to have 353 GB of data and had given\r\nDoctor Alliance a November 21 deadline to pay $200,000 or the data would be sold to others.\r\nAs previously noted, Kazu told DataBreaches that he had exploited an older vulnerability that Doctor Alliance had\r\nnot patched. When emailed about his claims, a spokesperson for Doctor Alliance told DataBreaches that they were\r\ninvestigating the claims but had not confirmed anything. They did not respond to subsequent inquiries when\r\nDataBreaches sent them sample files and a screenshot allegedly demonstrating Kazu had access.\r\nAlthough they failed to provide any further statement to DataBreaches, Doctor Alliance apparently responded to\r\nothers’ inquiries by acknowledging that they had recently identified unauthorized access involving a single client\r\naccount. “The issue was contained immediately, impacted systems were secured and the vulnerability was\r\ncorrected the same day. We are currently working with independent security experts to complete a thorough\r\nanalysis of the incident. At this stage, we have not verified the claims or numbers circulating online,” they\r\ninformed ISMG.\r\nTheir lack of confirmation or denial did not stop personal injury law firms from seeking plaintiffs for class action\r\nlitigation or from filing lawsuits already. By now, four potential class action lawsuits have been filed in federal\r\ncourt in the Northern District of Texas.\r\nBut Doctor Alliance has an even bigger problem now.  It appears Kazu has hacked them again.\r\nThe Second Hack\r\nOn Kazu’s Telegram channel, he wrote:\r\nAfter seeing Vivek Kushalnagar Srinivas, the CEO of Doctor Alliance, proudly announce that the\r\ncompany had “fixed the vulnerability” on the same day our first message was published — we decided\r\nto dig deeper.\r\nWe decide to search and exploit more vulnerabilities in their system .\r\nThis time, we managed to extract a total of approximately 5 million files, including:\r\n3,740,129 signed documents from all PGs (917 GB)\r\n1,240,640 unsigned files (353 GB)\r\nTotal: nearly 1.27 terabytes of stolen data.\r\nhttps://databreaches.net/2025/11/18/from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor/\r\nPage 1 of 6\n\nA check of Kazu’s original forum listing shows that the listing was updated to reflect those numbers. The deadline\r\nfor Doctor Alliance to respond to them has been revised to November 25, but now the amount is no longer\r\n$200,000 but $500,000, as shown below:\r\nUpdated listing by Kazu on clear net forum. Image and redaction: DataBreaches.net\r\nIn an online chat, Kazu informed DataBreaches that the second attack was launched over the past weekend when\r\nemployees were not working. He reportedly tried to dump all the files in just 5-7 hours using all his servers.\r\nDoctor Alliance employees reportedly did not detect the breach until Monday. As before, Kazu emailed the firm\r\nwith samples of the data he had acquired.\r\nAs far as DataBreaches knows, Doctor Alliance has not responded directly to Kazu nor attempted to negotiate\r\neither after the first attack nor this second one that Kazu claims.\r\nDataBreaches asked Kazu whether the second attack involved the same vulnerability as the first attack. He\r\nresponded that it did, and that he was able to gain access using an account with high privileges. When asked\r\nwhere/how he acquired the credentials, Kazu responded that Doctor Alliance reuses some admin passwords across\r\nmultiple admin accounts, and he was able to find one by looking at infostealer logs. DataBreaches is unable to\r\nattempt to verify those claims.\r\nMore Than 1 Million Patients Affected?\r\nDoctor Alliance has many clients, each with many patients. If Kazu exfiltrated more than 5 million records, even\r\nif there were many duplicates or multiple files for any one patient, this breach likely impacted a significant\r\nnumber of patients’ sensitive protected health information and personal information.\r\nDataBreaches did not include screenshots of purported patient records in the previous post, but because Doctor\r\nAlliance has neither confirmed nor denied that they are real, we are posting a few here to show readers what the\r\ndata tranche looks like. Kazu provided DataBreaches with an expanded sample of more than 100GB of files. As\r\nbefore, DataBreaches was able to spot-check and find real people with the names, addresses, and dates of birth as\r\nthe patient records in the tranche.\r\nhttps://databreaches.net/2025/11/18/from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor/\r\nPage 2 of 6\n\nTo give readers a sense of how much protected health information has been compromised, consider two redacted\r\nscreenshots below. Each one represents a unique patient. The first screenshot is the first page of a multi-page .pdf\r\nrecord for a New Mexico patient with Stage 4 rectal cancer. In addition to her name, date of birth, address, phone\r\nnumber, medical record number, and information on the healthcare provider, the cover sheets lists her primary and\r\nsecondary diagnoses as well as significant medical details, cognitive status, mood, and patient risk profile.\r\nHome health certification and plan of care for a female patient in New Mexico; Page 1 of the record\r\nfor the patient, who has Stage 4 rectal cancer. Image redacted by DataBreaches.net.\r\nThe second screenshot, below, certifies that a Massachusetts patient has a terminal diagnosis of Alzheimer’s\r\nDisease and likely has six months or less to live. Such certification is required to make the patient eligible for\r\nhospice care.\r\nhttps://databreaches.net/2025/11/18/from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor/\r\nPage 3 of 6\n\nCertification that a patient doesn’t have long to live so that they can get hospice care. Image:\r\nDataBreaches.net\r\nMany of the reports in the data Kazu provided to this site were for home health care for occupational therapy,\r\nphysical therapy,  visiting nurse services, or hospice services. All of the files examined by DataBreaches contained\r\npersonal and protected health information.\r\nHIPAA Concerns\r\nDoctor Alliance is a firm with a presence in both the U.S. and India. According to what Kazu claims, the majority\r\nof employees are in India, but if Doctor Alliance is doing business in the U.S. and providing services involving\r\nhttps://databreaches.net/2025/11/18/from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor/\r\nPage 4 of 6\n\nelectronic billing transactions, then they should have business associate agreements (BAA) in place with HIPAA-covered entities, and they need to comply with HIPAA and HITECH notification requirements.\r\nDataBreaches does not know exactly how many HIPAA-covered entities Doctor Alliance has had over the past six\r\nyears or so (considering the dates of some of the medical records), but they may have thousands of notifications to\r\nmake to former or current clients, and if their BAA calls for it, they may have hundreds of thousands — or more\r\n— individual notifications to be sent to affected patients.\r\nBut apart from any regulatory notification requirements that they may be subject to and other incident response\r\ncosts that may or may not be covered by any insurance, there is the issue of whether their network is secure\r\nenough at this point for clients to trust.\r\nFrom what Kazu shared with DataBreaches, the CEO of Doctor Alliance appears to have been informed by\r\nAvaility that the payment platform would “reenable the blocked users and connections associated with Company\r\nafter you complete a full breach assessment of Company’s affected systems (“Breach Assessment”).” Availity’s\r\ncommunication includes a very specific and detailed list of questions about the entity’s security, incident response,\r\nand required attestation that the network is now clean. In light of the second attack after Doctor Alliance claimed\r\nthe vulnerability was corrected the same day as the first attack, it appears that Doctor Alliance did not have a full\r\nunderstanding of their security issues. Could Kazu successfully compromise them again? One hopes not, but it\r\nwould be understandable for Doctor Alliance’s clients to be seriously concerned at this point.\r\nDataBreaches emailed Doctor Alliance earlier today to ask for an update and response to the second breach, but\r\nhas received no reply. DataBreaches also emailed Availity to ask if their alleged communication to the CEO \r\nrepresents a routine incident response for them, and if they are aware of the second claimed attack. No reply was\r\nimmediately available.\r\nAs this post was about to be published, Kazu contacted this site to say he was about to leak all the data, so there\r\nmay be another update soon.\r\nUpdate 1: Over on SuspectFile, Marco A. De Felice discusses these breaches and how Doctor Alliance’s lack of\r\ntransparency makes it impossible for their clients to really trust that their data has not been stolen or won’t be\r\nstolen by Kazu again. Doctor Alliance clearly tried to reassure its clients after the first attack, but given that they\r\nwere proven wrong in their claims, can any client believe that their data hasn’t been acquired?\r\nAs a matter of common sense, you can’t assure clients that their data is safe or wasn’t acquired if you haven’t\r\nfinished a complete forensic investigation, and it doesn’t sound like they have. So how can they reassure any\r\nclient(s) that their data has not been compromised or is not at risk of further compromise?  Once covered entities\r\nare aware of a breach, they have obligations under HIPAA, including not knowingly uploading PHI to an\r\nunsecured environment or possibly unsecured environment.\r\nRead Marco’s thoughtful commentary on SuspectFile.\r\nUpdate 2 (November 20):  Kazu has leaked the 1.2 TB of data.\r\nhttps://databreaches.net/2025/11/18/from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor/\r\nPage 5 of 6\n\nSource: https://databreaches.net/2025/11/18/from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor/\r\nhttps://databreaches.net/2025/11/18/from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor/\r\nPage 6 of 6\n\nunsecured environment Read Marco’s or possibly thoughtful commentary unsecured on SuspectFile. environment.\nUpdate 2 (November 20): Kazu has leaked the 1.2 TB of data.\n   Page 5 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://databreaches.net/2025/11/18/from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor/"
	],
	"report_names": [
		"from-bad-to-worse-doctor-alliance-hacked-again-by-same-threat-actor"
	],
	"threat_actors": [],
	"ts_created_at": 1775874216,
	"ts_updated_at": 1775874255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f0e61ca938067ee2a79c7b4fcfafc99731763fa.pdf",
		"text": "https://archive.orkl.eu/6f0e61ca938067ee2a79c7b4fcfafc99731763fa.txt",
		"img": "https://archive.orkl.eu/6f0e61ca938067ee2a79c7b4fcfafc99731763fa.jpg"
	}
}