Doctor Alliance Breach Incident Score: Analysis & Impact (DOC4192541111125)

In this Rankiteo incident briefing, we review the Doctor Alliance breach identified under incident ID DOC4192541111125.

The analysis begins with a detailed overview of Doctor Alliance's information like the linkedin page: https://www.linkedin.com/company/doctor-alliance, the number of followers: 2591, the industry type: Hospitals and Health Care and the number of employees: 114 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 761 and after the incident was 612 with a difference of -149 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Doctor Alliance and their customers.

Doctor Alliance recently reported "Doctor Alliance Data Breach and Ransom Demand", a noteworthy cybersecurity incident.

A cyber-criminal group claims to have exfiltrated over 1.2 million records from U.S.

The disruption is felt across the environment, and exposing patient records (1.2M+), with nearly 1.2M+ records at risk.

In response, moved swiftly to contain the threat with measures like review audit logs for bulk data extraction and suspend/block compromised credentials, and began remediation that includes notify affected individuals and regulators and offer credit/identity-theft protection services.

The case underscores how unconfirmed by Doctor Alliance; ongoing analysis by researchers, teams are taking away lessons such as Securing business-associate and billing-vendor ecosystems is critical in healthcare, Healthcare data breaches have long-term risks (unlike resettable credentials) and Dependencies in upstream/downstream systems create extended vulnerability surfaces, and recommending next steps like Implement stricter audit logging for bulk data operations, Enhance third-party vendor risk assessments and Proactively monitor dark web for exposed healthcare data, with advisories going out to stakeholders covering Review audit logs for unusual activity, Suspend compromised credentials and Prepare regulatory notifications.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating review audit logs for bulk data extraction, suspend/block compromised credentials and Exploit Public-Facing Application (T1190) with moderate confidence (50%), supported by evidence indicating securing business-associate and billing-vendor ecosystems is critical in healthcare. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate confidence (60%), supported by evidence indicating review audit logs for bulk data extraction suggests credential misuse or exposure. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating exfiltrated over 1.2 million records, database records, patient documents and Data from Network Shared Drive (T1039) with moderate to high confidence (80%), supported by evidence indicating bulk data extraction implies targeting shared storage or databases. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with high confidence (90%), supported by evidence indicating threat actor posted a 200 MB sample of the stolen data on a public leak forum and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (70%), supported by evidence indicating data exfiltration confirmed, method unspecified but likely C2-based. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (40%), supported by evidence indicating ransomware extortion type listed, though encryption not explicitly confirmed, Data Destruction (T1485) with lower confidence (30%), supported by evidence indicating demanding ransom for deletion of the full dataset implies threat of data destruction, and Double Extortion (T1659) with high confidence (95%), supported by evidence indicating ransomware extortion + exfiltrated 1.2M+ records + public leak forum post. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with moderate confidence (60%), supported by evidence indicating suspend/block compromised credentials suggests attackers may have cleared logs or traces and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (50%), supported by evidence indicating review audit logs implies potential tampering with logging mechanisms. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.