Doctor Alliance Investigating 353 GB Data Theft Claim

Posted by Steve Alder

Dallas, TX-based Doctor Alliance, a HIPAA business associate that provides document management and billing services to HIPAA-covered entities, is investigating a claim that a hacker exfiltrated 353 GB of data in a November cyberattack.

On or around November 7, 2025, a hacker using the moniker Kazu, added a post to an underground hacking forum claiming to have stolen 1.24 million files from Doctor Alliance. The hacker has demanded a $200,000 ransom, payment of which is required to ensure that the stolen data is deleted. The hacker has threatened to sell the data if the ransom is not paid.

A 200 MB sample was added to the listing that was analyzed and found to contain what appears to be patient names, addresses, phone numbers, email addresses, medical record numbers, Medicare numbers, diagnoses, treatment information, medications, and provider information. According to the leak site, Doctor Alliance has until November 21, 2025, to pay the ransom.

While the sample appears to include patient data, it has yet to be confirmed whether the data came from Doctor Alliance. It is possible that the data came from a previous data breach at an unrelated entity. Doctor Alliance has issued a statement confirming it is aware of the claim, has engaged cybersecurity experts to determine whether its network was compromised, and is analyzing the data sample to determine if the claim is valid. Doctor Alliance has confirmed that a single client account has been accessed by an unauthorized individual, and that immediate action was taken to contain the incident. The vulnerability that was exploited was remediated on the day of discovery, but Doctor Alliance has not confirmed if data was stolen in that incident.

It is unclear whether Kazu is an individual or a member of a hacking group. The Kazu data leak site currently lists more than 30 victims from spring 2025. Other victims on the leak site include government entities, the military, and other healthcare organizations. Kazu does not appear to have previously targeted entities in the United States, appearing to favor entities in South America, Asia, and the Middle East. The dark web data leak site includes victims from Argentina, Bolivia, Colombia, Costa Rica, Iran, Mauritania, Mexico, Nepal, Saudi Arabia, Sri Lanka, Thailand, and Venezuela. Doctor Alliance is currently the only listed U.S. victim.

The lack of confirmation of data theft has not prevented legal action from being taken. Multiple class action lawsuits have already been filed in the United States District Court for the Northern District of Texas, Dallas Division, by individuals who claim to have been affected. One of those lawsuits was filed by Barbara Catabia, individually and on behalf of similarly situated individuals. According to the lawsuit, “There is no question Plaintiff’s and Class Members’ Private Information is in the hands of cybercriminals who will continue to use the stolen Private Information for nefarious purposes for the rest of their lives.”

The lawsuit claims Doctor Alliance provides services to healthcare organizations such as Intrepid, AccentCare, Interim, and Prima Care. Prima Care is also named as a defendant in the lawsuit. The lawsuit asserts claims of negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and breach of third-party beneficiary contract. The lawsuit seeks class action certification, a jury trial, compensatory damages, punitive damages, nominal damages, restitution, injunctive and declaratory relief, reasonable attorneys’ fees and costs, and other remedies deemed appropriate by the court.

The post Doctor Alliance Investigating 353 GB Data Theft Claim appeared first on The HIPAA Journal.

Warning Issued About Akira Ransomware as Attacks on Critical Infrastructure Accelerate

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), Department of Health and Human Services (HHS), and international law enforcement partners about the Akira ransomware group, which has accelerated its attacks on critical infrastructure in recent months.

According to the FBI, Akira has been paid more than $244 million in ransoms since the group was first identified in March 2023. While Akira primarily targets small- to medium-sized organizations, the group has also attacked larger organizations, favoring sectors such as manufacturing, education, information technology, healthcare, financial services, and food and agriculture.

The group’s tactics are constantly evolving. While the group initially targeted Windows systems, a Linux version of its encryptor has been developed that is used to target VMware Elastic Sky X Integrated (ESXi) virtual machines (VMs), and recently the group has been observed encrypting Nutanix AHV VM disk files.

Akira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords. Akira may also purchase access to compromised networks from initial access brokers. The group typically targets virtual private network (VPN) services that do not have multifactor authentication enabled, although vulnerabilities are also exploited. Akira has been observed exploiting vulnerabilities in Cisco devices (CVE-2020-3259; CVE-2023-70766) and has recently been observed exploiting a vulnerability in SonicWall Firewall devices (CVE-2024-40766). Once access has been gained, the group maintains persistence by using legitimate remote access tools such as LogMeIn and AnyDesk.

Like many other ransomware groups, Akira engages in double extortion tactics, stealing data and encrypting files, then demanding payment to prevent the publication of the stolen data on its leak site and to obtain the decryptrion keys.

“The threat of ransomware from groups like Akira is real and organizations need to take it seriously, with swift implementation of mitigation measures,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. The joint advisory about Akira ransomware was first issued in April 2024, but has now been updated with new tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) from recent attacks, including new recommended mitigations. The most important mitigations are to ensure that vulnerabilities are patched promptly, especially the vulnerabilities detailed in the advisory; to implement and enforce phishing-resistant multifactor authentication; and to ensure that backups are made of all critical data, storing backups securely offline.

The post Warning Issued About Akira Ransomware as Attacks on Critical Infrastructure Accelerate appeared first on The HIPAA Journal.

Urgent Patching Required to Fix Actively Exploited Cisco Flaws

Posted by Steve Alder

Threat actors are actively exploiting multiple Cisco vulnerabilities for which patches were previously issued in August; however, attacks are ongoing, including attacks on devices that have been improperly patched.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity alert this week about two critical Cisco vulnerabilities – CVE-2025-30333 and CVE-2025-20362 – affecting Cisco Adaptive Security Appliances (ASA) and Firepower devices. The vulnerabilities affect devices running Cisco Secure ASA Software or Cisco Secure FTD Software and have CVSS v3.1 base scores of 9.9 and 9.8. The vulnerabilities can be exploited by sending specially crafted HTTP requests to a vulnerable web server on a device.

Cisco issued patches to fix the vulnerabilities in August this year, warning that hackers could exploit the flaws to execute commands at a high privilege level. The flaws allow threat actors to access restricted URL endpoints that should be inaccessible without authentication. By exploiting the flaws, attackers can execute code on vulnerable devices. If the vulnerabilities are chained, an attacker can gain full control of the devices. At the time the patches were issued, Cisco warned that the vulnerabilities had already been exploited as zero-days in the ArcaneDoor campaign, which exploited two other flaws.

While many organizations applied the patches and believed they were protected against exploitation, in some cases, the patches were applied without updating the minimum software version, leaving the organizations vulnerable to exploitation. “In CISA’s analysis of agency-reported data, CISA has identified devices marked as ‘patched’ in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the [Emergency Directive], explained CISA in the alert. “CISA recommends all organizations verify the correct updates are applied.” CISA has published guidance on patching the two vulnerabilities and warned that immediate patching is required, including on devices that are not exposed to the Internet.

The post Urgent Patching Required to Fix Actively Exploited Cisco Flaws appeared first on The HIPAA Journal.