Doctor Alliance, a Dallas-based healthcare technology company providing clinical document management and billing services to home health agencies and physician practices, suffered a credential-abuse data breach between October 31 and November 17, 2025. An unauthorized party obtained Doctor Alliance web-portal login credentials through unknown means and used a script to systematically request patient documents from the portal by enumerating combinations of patient IDs and document numbers. A hacker using the alias 'Kazu' claimed responsibility on a hacking forum on November 7, 2025, asserting theft of 1.24 million files totaling 353 gigabytes and demanding a $200,000 ransom by November 21, 2025. Doctor Alliance was alerted on November 13, 2025, notified the FBI on November 16, 2025, and posted a public notice on its website. Multiple home-health clients including Amedisys, AccentCare, Angels Care Home Health, and Prima Care subsequently issued downstream patient notifications.

The breach affected approximately 387,000 individuals based on records indexed by breach-tracking services, with approximately 33,000 unique Social Security numbers and 7,900 unique email addresses among the records. Compromised fields included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, medical record numbers, Medicare numbers, diagnoses, treatment information, medications, and provider information. Although the hacker's claim of 1.24 million files initially suggested 1.2 million affected individuals, subsequent analysis indicated the actual patient-individual count is substantially smaller, with many files representing duplicate documents for the same patients across multiple home-health visits.

For affected patients, the practical risk profile combines identity-fraud exposure with home-health and Medicare-specific risks. The combination of name, address, date of birth, and Social Security number is a strong base for synthetic identity fraud and fraudulent credit applications. Inclusion of Medicare numbers raises direct healthcare-fraud risk including fraudulent home-health billing. Inclusion of medication and diagnosis information supports highly targeted medical-themed phishing referencing real prescriptions and treatments. Patients receiving home-health services are categorically more vulnerable to medical-fraud and emotional-manipulation scams because they are often elderly or recovering from illness. Affected patients should freeze credit at all three U.S. bureaus, monitor Medicare summary notices and home-health billing statements closely, alert family caregivers to be cautious of unsolicited contact, and treat unsolicited communications referencing Doctor Alliance, home-health agencies, or Medicare with caution.

Healthcare workflow and billing platforms collect patient identity, provider records, billing data, clinical documents, scheduling information, and physician workflow records across practice-management operations.

Doctor Alliance was alerted to a cybersecurity incident on November 13, 2025 after a hacker using the alias 'Kazu' posted on an underground hacking forum on November 7, 2025 claiming to have stolen 1.24 million files totaling 353 GB from Doctor Alliance's systems. The hacker demanded a $200,000 ransom by November 21, 2025, threatening to sell the data if payment was not made. Doctor Alliance's investigation determined that an unknown unauthorized party had obtained Doctor Alliance web-portal credentials and accessed certain files intermittently between October 31, 2025 and November 17, 2025. The unauthorized party also used a script to send multiple requests to the Doctor Alliance web portal using varying combinations of patient IDs and document numbers, indicating credential abuse and enumeration rather than ransomware encryption. Doctor Alliance notified the FBI on November 16, 2025 and posted a public notice on its website. Affected home-health clients including Amedisys (notified January 5, 2026), Angels Care (notified January 13, 2026), and AccentCare (notified February 2026) issued downstream patient notifications. Multiple class-action lawsuits were filed in the U.S. District Court for the Northern District of Texas, Dallas Division.