$200K ransom demanded of Doctor Alliance after hackers say they stole 1.2M files
A cybersecurity research firm said it found a new data trove on the dark web, said to contain 1.24 million files—many related to direct patient care—that allegedly belongs to Doctor Alliance, a health IT platform that provides automated billing services.
In a report released on Monday, Cybernews confirmed a post on a popular hacker forum, likely made by the alleged perpetrators, claiming 353 gigabytes of data was stolen during a breach of Doctor Alliance’s network.
For now, the data has not been leaked, with the user going by the alias “Kazu” threatening to either post or sell the information on November 21, 2025, assuming a ransom of $200,000 is not paid.
Kazu, who could represent a group rather than an individual, released a small 200 MB sample to prove they have the goods. Cybernews said the revealed files include “various medical records, riddled with sensitive personal data,” specifically details on patient prescriptions, treatment plans, names, health insurance numbers, phone numbers, home addresses, hospital orders and more.
Such data access would constitute a reportable breach under terms of the Health Insurance Portability and Privacy Act (HIPAA).
In reviewing the data, the cybersecurity researchers came to believe the trove—if determined to be legitimate—poses a serious risk to patients and employees, as it could all be used for identity theft, blackmail or other nefarious purposes.
This includes not only medical identity theft but also insurance fraud.
“This data leak poses a huge risk of identity theft and medical fraud for the patients involved, such as obtaining medical services or prescription drugs in the victim's name. Both doctors and patients can fall victim to social engineering attacks,” researchers said in the report.
The alleged cybercriminals have promised to delete the data if the ransom is paid. Details on the supposed attack, including when it took place and what vector was used, were not revealed in the post. However, it appeared on the forum on Nov. 10.
No known hacker cell has claimed credit for the attack; the user has a history on the forum that dates back only four months.
Company has yet to comment
Doctor Alliance is headquartered in Dallas. According to its website, its list of clients includes Intrepid, AccentCare, Carter, Interim and many other healthcare providers across the U.S., representing millions of patients.
As of Wednesday, the company has yet to confirm it suffered any cyberattack, let alone one that resulted in protected health information being accessed. HealthExec reached out for comment.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.