A cybersecurity research firm has now found a new data trove on the dark web, said to contain 1.24 million files, many related to direct patient care, that allegedly belong to Doctor Alliance, a health IT platform that provides automated billing services. This is a serious development, given the fact that the Texas-based venture has clients (healthcare providers) including Intrepid, AccentCare, Carter and Interim across the United States, representing millions of patients.
Recently, Cybernews confirmed a post on a popular hacker forum, likely made by the alleged perpetrators, claiming 353 gigabytes of data were stolen during a breach of Doctor Alliance’s network. For now, the data has not been leaked, with the user going by the alias “GOD” threatening to either post or sell the information on November 21, 2025, in case a ransom of USD 200,000 is not paid.
Alias “GOD,” who likely represents a group of individuals, released a small 200 MB sample to prove they have the files. As per Cybernews, the revealed files include “various medical records, riddled with sensitive personal data,” specifically details on patient prescriptions, treatment plans, names, health insurance numbers, phone numbers, home addresses, hospital orders and more.
In the United States, such data access would constitute a reportable breach under the terms of the Health Insurance Portability and Privacy Act (HIPAA). Cybersecurity researchers now believe the trove, if determined to be legitimate, poses a serious risk to patients and employees, as it could all be used for identity theft, blackmail or other nefarious purposes. This includes not only medical identity theft but also insurance fraud.
“This data leak poses a huge risk of identity theft and medical fraud for the patients involved, such as obtaining medical services or prescription drugs in the victim’s name. Both doctors and patients can fall victim to social engineering attacks,” remarked the researchers.
While promising that the data would be deleted if the ransom is paid, the alleged cybercriminals in a post refused to divulge details like when the attack took place and what vector was used. No known hacker outfit has claimed credit for the attack.