Doctor Alliance, a Texas-based healthcare technology company operating a secure clinical document portal, confirmed unauthorized access to patient records between October 31 and November 17, 2025. The breach — disclosed to affected healthcare providers in January and February 2026 — impacted multiple major home healthcare organizations including Amedisys, Angels Care Home Health, and AccentCare. An unknown threat actor used stolen credentials and automated scripting to systematically harvest patient clinical documents through Doctor Alliance's web portal. The FBI was notified on November 16, 2025, while patients weren't informed until weeks later via their healthcare providers.

What Happened

The intrusion was active for at least 18 days before detection. Using compromised login credentials of unknown origin, an unauthorized party accessed Doctor Alliance's clinical document portal intermittently between October 31 and November 17, 2025. The attacker did not simply browse — they deployed an automated script that sent repeated requests to the portal using varying combinations of patient IDs and document numbers, systematically enumerating and downloading clinical records at scale.

Doctor Alliance detected the incident and notified the FBI on November 16, 2025 — one day before the unauthorized access window closed. The company engaged third-party forensic investigators and secured its systems. However, downstream notifications to healthcare providers came significantly later: Amedisys received notice on January 5, 2026; Angels Care Home Health on January 13, 2026; AccentCare in February 2026. Affected patients were notified even later, through their respective providers. The gap between the breach (October–November 2025) and patient notification (February–March 2026) spans four to five months.

Doctor Alliance has not publicly disclosed the total number of patients affected across all impacted providers.

What Was Taken

The attacker accessed clinical documents containing:

This is Protected Health Information (PHI) under HIPAA — among the most sensitive categories of personal data. Unlike financial credentials, which can be changed, health data is permanently associated with a patient's identity and medical history. The combination of diagnoses, clinical summaries, and insurance data enables insurance fraud, targeted medical identity theft, and blackmail.

Why It Matters

This breach follows a now-familiar and dangerous pattern: a single third-party software vendor becomes the single point of failure for multiple healthcare organizations simultaneously. Doctor Alliance serves as the connective tissue between home healthcare providers and physicians for clinical document exchange. One compromised portal cascades into exposure across every provider using the platform.

The automated scripting element is particularly significant. This was not opportunistic browsing — the attacker enumerated records systematically using patient ID and document number combinations. This technique, sometimes called an Insecure Direct Object Reference (IDOR) exploit or API enumeration attack, suggests the attacker had either prior knowledge of the portal's data structure or conducted reconnaissance before the scripted harvest began.

The delayed notification timeline is also a serious compliance concern. HIPAA's Breach Notification Rule requires covered entities and their business associates to notify affected individuals within 60 days of discovery. With breach detection in mid-November 2025 and patient notifications arriving in February and March 2026, that window appears to have been exceeded — exposing Doctor Alliance and its healthcare customers to potential regulatory action from HHS Office for Civil Rights.

The Attack Technique

The confirmed attack chain:

  1. Credential compromise — An unknown party obtained valid login credentials for the Doctor Alliance portal. The method of credential theft has not been determined; possibilities include phishing, credential stuffing from previously breached databases, or compromise of a healthcare provider's internal systems.

  2. Portal access — Using stolen credentials, the attacker authenticated to the Doctor Alliance web portal and gained access to patient clinical documents.

  3. Automated enumeration — The attacker deployed a script to systematically query the portal using varying patient ID and document number combinations — a classic IDOR/enumeration attack. This suggests the portal lacked rate limiting, anomaly detection on request patterns, or adequate authorization checks to verify that the requesting user was entitled to access each specific document.

  4. Multi-week dwell time — Access persisted intermittently for 18 days before the activity was flagged and the FBI was notified.

The absence of MFA on a portal handling PHI, combined with no apparent rate-limiting on document requests, enabled the scripted enumeration to proceed undetected for weeks.

What Organizations Should Do

  1. Require MFA on all healthcare portals and vendor-provided platforms — Stolen credentials alone should never be sufficient to access PHI. Any vendor portal handling patient data that does not enforce MFA should be treated as a critical security gap requiring immediate remediation or contractual escalation.

  2. Audit third-party vendor access to PHI — now — Conduct a full inventory of every software vendor with access to patient data. For each, verify: Do they enforce MFA? Do they have a SOC 2 or HITRUST certification? Do your BAAs (Business Associate Agreements) require breach notification within a defined timeframe? Doctor Alliance notified Amedisys two months after the incident — that lag should be contractually impermissible.

  3. Implement API and portal rate limiting and anomaly detection — Scripted enumeration attacks generate distinctive traffic patterns: high request volume, sequential or near-sequential IDs, consistent timing. Web application firewalls and API gateways should flag and block this behavior automatically. Any portal serving sensitive records without these controls is vulnerable to the same technique used here.

  4. Review authorization logic for document access — The scripted attack used varying patient ID and document number combinations to pull records. This suggests document access may not have been scoped to the authenticated user's authorized patients. Verify that every API endpoint and document retrieval path enforces object-level authorization — not just authentication.

  5. Establish a 30-day breach notification SLA in all BAAs — HIPAA's 60-day window is a ceiling, not a target. Healthcare organizations should require vendors to notify them within 5–10 business days of confirmed or suspected unauthorized access. Four-month gaps between breach and patient notification are legally and ethically indefensible.

  6. Notify affected patients promptly and specifically — Generic breach notifications increase distrust without enabling protective action. Patients should be told exactly what data was exposed, what risk that creates (insurance fraud, medical identity theft), and what concrete steps to take — including requesting their Explanation of Benefits history from insurers and monitoring for fraudulent medical claims.

Sources