A year after the attack, ALN Medical Management has confirmed the full extent of its 2024 data breach.
What happened
ALN Medical Management, a Nebraska-based billing and revenue cycle management firm for healthcare providers, has confirmed that the protected health information (PHI) of more than 1.8 million individuals was compromised during a data breach in March 2024. While the incident was reported to the U.S. Department of Health and Human Services (HHS) in May 2024 with an initial placeholder estimate of 501 individuals, the scale of the breach was only fully revealed in 2025, following a detailed investigation.
The stolen files, which were hosted by a third-party vendor, included names, Social Security numbers, driver's license and government ID numbers, financial data, medical records, and health insurance information. ALN began mailing notification letters to affected individuals in March 2025 and is offering free credit monitoring and identity protection.
Going deeper
The HHS breach portal now reflects the updated total of 1,823,844 individuals affected. State attorneys general in Texas, California, and Massachusetts have also been notified. In its letter to Massachusetts regulators, ALN listed four healthcare clients affected by the breach:
- National Spine and Pain (Maryland)
- Inpatient Physician Associates (Nebraska)
- Hoag Clinic (California)
- Allied Physicians Group (New York)
It remains unclear how many additional healthcare providers were impacted, as ALN works with clients across multiple states.
Multiple class action lawsuits have been filed against ALN Medical Management and its parent company, Health Prime International. Plaintiffs allege negligence, breach of contract, and failure to follow security best practices. The lawsuits seek damages, reimbursement of expenses, and court-mandated improvements to ALN’s data protection measures.
What was said
ALN has not released a public statement beyond the formal notifications required by law. However, affected individuals have reported delays in receiving breach letters. Some notifications were still arriving months after the mailing process began, raising concerns about the timeliness and effectiveness of the response.
Law firms pursuing litigation argue that ALN failed to implement appropriate safeguards for sensitive patient data despite its role as a service provider to multiple healthcare entities.
The big picture
Outsourcing billing and administrative services to third-party vendors, as seen in the ALN breach, creates additional exposure to cyber threats in healthcare. While vendors can improve efficiency, inadequate security on hosted systems increases the risk of data compromise. With patient information flowing through complex service networks, healthcare organizations need to enforce strict cybersecurity requirements and ensure that breach response, including detection, notification, and mitigation, is both timely and transparent.
FAQs
What is a revenue cycle management company, and why do healthcare providers use them?
These companies handle the administrative side of healthcare billing, from patient registration to insurance claims and payment collections. Providers use them to reduce overhead and improve payment processing.
Why did ALN initially report only 501 affected individuals?
The figure was a placeholder required by the HHS when the breach was first reported. Full file reviews often take months, especially when third-party systems are involved.
Are patients automatically enrolled in credit monitoring services?
No. Affected individuals typically need to opt in to using the details provided in the notification letter. The service is offered at no cost, but enrollment is voluntary.
Can healthcare providers be held responsible if a vendor is breached?
Yes. Under HIPAA, both covered entities and their business associates can face regulatory consequences, especially if vendor oversight is found lacking.
What is injunctive relief in a class action lawsuit?
It’s a court-ordered requirement that a defendant take specific actions, in this case, improving data security to prevent future harm, in addition to any financial compensation awarded.
Farah Amod
