Data Breach Notification
,
Data Security
,
Fraud Management & Cybercrime
Kazu Demands $200K Ransom, Begins Leaking 1.2M Stolen Patient Records
Kazu, a relative newcomer among cybercrime gangs, is threatening to post 353 gigabytes of data allegedly stolen in recent weeks from Doctor Alliance, a Texas-based company that provides document and billing management technology and services to physician practices. The attack appears to be the gang’s first in North America.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
Doctor Alliance in a statement to Information Security Media Group on Friday said the firm is working with independent security experts to investigate Kazu’s claims of having exfiltrated 1.2 million Doctor Alliance client records. Kazu is demanding Doctor Alliance pay a $200,000 ransom to stop the gang from publishing the stolen data on the dark web.
Leaked Doctor Alliance client data so far includes patients name, date of birth, address, phone number, email address, Medicare number, medical record number, primary and secondary diagnoses, treatment plans, medications and dosages, and provider information, according to one of three proposed federal class action lawsuits filed this week against the company related to the hack.
In addition to those lawsuits – which seek financial damages and allege claims including negligence – several other law firms in recent days have also issued public statements saying they, too, are investigating the Doctor Alliance data breach for potential class action litigation.
In Doctor Alliance’s statement to ISMG, the company said it is digging into the data theft claims.
“Doctor Alliance recently identified unauthorized access involving a single client account,” Doctor Alliance said in its statement to ISMG.
“The issue was contained immediately, impacted systems were secured and the vulnerability was corrected the same day. We are currently working with independent security experts to complete a thorough analysis of the incident. At this stage, we have not verified the claims or numbers circulating online.”
Doctor Alliance did not comment specifically on Kazu’s demands.
Data Theft-Focused
Kazu appears to be a relative newcomer to cybercrime, some experts told ISMG.
“Looking at its extortion site, the group accelerated data dump activity in the June to July 2025 timeframe but intel reports make mention of Kazu associated data dumps and forum postings back in spring of 2025 in the March-April timeframe,” said John Dwyer, deputy CTO and head of ARC Labs at security firm Binary Defense.
Despite the group’s recent emergence, Kazu has already leaked data from government, military and healthcare organizations, said threat researcher Jade Brown of security firm Bitdefender in a report issued Thursday. The majority of Kazu’s nearly three dozen victims so far are based in Southeast Asia, Middle East and South America, Brown said.
So far, the group’s other victims include the National Civil Service Commission of Colombia and Defensoría del Pueblo de Colombia, according to threat intelligence monitoring website Ransomware.live.
The Doctor Alliance hack may indicate Kazu just recently extended its attacks to North America, Dwyer said.
“While we don’t have any concrete data on exploits used, based on the data and referenced names on Kazu’s site, there appears to be a strong focus on web portals and web-enabled services,” Dwyer said.
“This is a strong indication that this group made use of an exploit in a web application or web hosting platform to gain unauthorized access to the data directly from a web application, rather than gaining access to internal systems and stealing data from an internal file server,” he said.
To avoid becoming one of Kazu’s next victims, he said, “now is as good as a time as ever to identify and address any issues on internet-facing web applications with known vulnerabilities. It also would be a great time to push all efforts regarding multifactor authentication on web-enabled portals.”
Kazu’s attacks appear to be focused on data theft extortion, and not ransomware encryption, Dwyer said. Encryption malware is a typical indicator researchers use for cybercrime group attribution.
“We don’t have any solid evidence that Kazu is a rebrand of another extortion based group. I couldn’t find any rebranding information or affiliations of Kazu with any known group,” he said.
“At this point, Kazu is being tracked as a brand new rather than an obvious rebrand or splinter off from a known ransomware group, that may change over time but that’s the info we have now.”
