Doctor Alliance 2025 Data Breach
ObscureIQ Breach Intelligence
High SeverityWebsite / service breach
Doctor Alliance Healthcare Billing Platform Breach (2025): 387K Patient SSN & Contact Records Exposed
Healthcare billing and collections management company.
Verified by ObscureIQ Intelligence
87/100Breach Risk Index
25Data Value
60Market Recency
133dSince Breach
Breach Intelligence Summary
Entity: Doctor Alliance · Actor: Kazu (alias) · Sources: 2 references
Attack: Misconfiguration
Profile: Healthcare Technology Company · Clinical documentation, billing, and physician workflow services · Healthcare document and billing platform · USA
Timeline: Breach (2025-11-18) · Indexed (Dec 15, 2025) · Year (2025)
Exposure: 387K records · 4 fields: Email Address, Full Name, Phone Number, Social Security Number
Status: Reported
Executive Summary
Doctor Alliance, a Dallas-based healthcare technology company providing clinical document management and billing services to home health agencies and physician practices, suffered a credential-abuse data breach between October 31 and November 17, 2025. An unauthorized party obtained Doctor Alliance web-portal login credentials through unknown means and used a script to systematically request patient documents from the portal by enumerating combinations of patient IDs and document numbers. A hacker using the alias 'Kazu' claimed responsibility on a hacking forum on November 7, 2025, asserting theft of 1.24 million files totaling 353 gigabytes and demanding a $200,000 ransom by November 21, 2025. Doctor Alliance was alerted on November 13, 2025, notified the FBI on November 16, 2025, and posted a public notice on its website. Multiple home-health clients including Amedisys, AccentCare, Angels Care Home Health, and Prima Care subsequently issued downstream patient notifications. The breach affected approximately 387,000 individuals based on records indexed by breach-tracking services, with approximately 33,000 unique Social Security numbers and 7,900 unique email addresses among the records. Compromised fields included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, medical record numbers, Medicare numbers, diagnoses, treatment information, medications, and provider information. Although the hacker's claim of 1.24 million files initially suggested 1.2 million affected individuals, subsequent analysis indicated the actual patient-individual count is substantially smaller, with many files representing duplicate documents for the same patients across multiple home-health visits. For affected patients, the practical risk profile combines identity-fraud exposure with home-health and Medicare-specific risks. The combination of name, address, date of birth, and Social Security number is a strong base for synthetic identity fraud and fraudulent credit applications. Inclusion of Medicare numbers raises direct healthcare-fraud risk including fraudulent home-health billing. Inclusion of medication and diagnosis information supports highly targeted medical-themed phishing referencing real prescriptions and treatments. Patients receiving home-health services are categorically more vulnerable to medical-fraud and emotional-manipulation scams because they are often elderly or recovering from illness. Affected patients should freeze credit at all three U.S. bureaus, monitor Medicare summary notices and home-health billing statements closely, alert family caregivers to be cautious of unsolicited contact, and treat unsolicited communications referencing Doctor Alliance, home-health agencies, or Medicare with caution.
ObscureIQ assessment: Severe risk of identity theft, medical fraud, billing abuse, and provider impersonation. Document and workflow data can also expose treatment relationships and operational vulnerabilities inside clinics.
Breach Impact
The institutional impact on Doctor Alliance is substantial given the platform's role as a back-office layer for major U.S. home-health operators. Federal HIPAA notification obligations as a business associate, an active Office for Civil Rights review, multistate attorney-general filings, and active class-action litigation in the U.S. District Court for the Northern District of Texas are all underway. The credential-abuse pathway raises broader questions about Doctor Alliance's authentication architecture, particularly the absence of multi-factor authentication and rate-limiting that would have impeded the enumeration script. Downstream client relationships have been affected, with Amedisys, AccentCare, and other major home-health operators issuing public notices that explicitly attribute the breach to Doctor Alliance rather than to their own systems. Reputational impact extends across the home-health technology vendor market.
About Doctor Alliance
Doctor Alliance (operating as My 485, Inc.) is a Dallas, Texas-based healthcare technology company that provides clinical document management, billing, and physician-workflow services to home health agencies and physician practices across the United States. The company's platform integrates with electronic health record systems and processes high volumes of clinical and administrative data, including patient documents, plan-of-care signatures, and Medicare 485 forms. Doctor Alliance's clients include major U.S. home health operators such as Amedisys, AccentCare, Interim HealthCare, Angels Care Home Health, and Prima Care. As a HIPAA-regulated healthcare business associate, Doctor Alliance maintains substantial volumes of protected health information aggregated across its many home-health and physician clients, alongside provider records, scheduling information, and billing data.
Why They Hold Your Data
Healthcare workflow and billing platforms collect patient identity, provider records, billing data, clinical documents, scheduling information, and physician workflow records across practice-management operations.
Recent Developments
Doctor Alliance was alerted to a cybersecurity incident on November 13, 2025 after a hacker using the alias 'Kazu' posted on an underground hacking forum on November 7, 2025 claiming to have stolen 1.24 million files totaling 353 GB from Doctor Alliance's systems. The hacker demanded a $200,000 ransom by November 21, 2025, threatening to sell the data if payment was not made. Doctor Alliance's investigation determined that an unknown unauthorized party had obtained Doctor Alliance web-portal credentials and accessed certain files intermittently between October 31, 2025 and November 17, 2025. The unauthorized party also used a script to send multiple requests to the Doctor Alliance web portal using varying combinations of patient IDs and document numbers, indicating credential abuse and enumeration rather than ransomware encryption. Doctor Alliance notified the FBI on November 16, 2025 and posted a public notice on its website. Affected home-health clients including Amedisys (notified January 5, 2026), Angels Care (notified January 13, 2026), and AccentCare (notified February 2026) issued downstream patient notifications. Multiple class-action lawsuits were filed in the U.S. District Court for the Northern District of Texas, Dallas Division.
Data Points Exposed
4 verified field types
Email Address
Full Name High
Phone Number
Social Security Number Critical
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Critical
Primary downstream threats:
- Identity theft and synthetic identity construction using government-issued IDs
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
Threat vectors:
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- SIM swapping, vishing & SMS phishing
- Full identity theft & synthetic identity fraud
Threat Actor: Kazu (alias)
Kazu (alias)
Misconfiguration
Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.
Recommended Actions
If you believe your information may be included:
Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Doctor Alliance breach?▾
Doctor Alliance, a Dallas-based healthcare technology company providing clinical document management and billing services to home health agencies and physician practices, suffered a credential-abuse data breach between October 31 and November 17, 2025. An unauthorized party obtained Doctor Alliance…
What data was exposed?▾
Verified fields include Email Address, Full Name, Phone Number, Social Security Number.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation