A year after the attack, ALN Medical Management has confirmed the full extent of its 2024 data breach.
ALN Medical Management, a Nebraska-based billing and revenue cycle management firm for healthcare providers, has confirmed that the protected health information (PHI) of more than 1.8 million individuals was compromised during a data breach in March 2024. While the incident was reported to the U.S. Department of Health and Human Services (HHS) in May 2024 with an initial placeholder estimate of 501 individuals, the scale of the breach was only fully revealed in 2025, following a detailed investigation.
The stolen files, which were hosted by a third-party vendor, included names, Social Security numbers, driver's license and government ID numbers, financial data, medical records, and health insurance information. ALN began mailing notification letters to affected individuals in March 2025 and is offering free credit monitoring and identity protection.
The HHS breach portal now reflects the updated total of 1,823,844 individuals affected. State attorneys general in Texas, California, and Massachusetts have also been notified. In its letter to Massachusetts regulators, ALN listed four healthcare clients affected by the breach:
It remains unclear how many additional healthcare providers were impacted, as ALN works with clients across multiple states.
Multiple class action lawsuits have been filed against ALN Medical Management and its parent company, Health Prime International. Plaintiffs allege negligence, breach of contract, and failure to follow security best practices. The lawsuits seek damages, reimbursement of expenses, and court-mandated improvements to ALN’s data protection measures.
ALN has not released a public statement beyond the formal notifications required by law. However, affected individuals have reported delays in receiving breach letters. Some notifications were still arriving months after the mailing process began, raising concerns about the timeliness and effectiveness of the response.
Law firms pursuing litigation argue that ALN failed to implement appropriate safeguards for sensitive patient data despite its role as a service provider to multiple healthcare entities.
Outsourcing billing and administrative services to third-party vendors, as seen in the ALN breach, creates additional exposure to cyber threats in healthcare. While vendors can improve efficiency, inadequate security on hosted systems increases the risk of data compromise. With patient information flowing through complex service networks, healthcare organizations need to enforce strict cybersecurity requirements and ensure that breach response, including detection, notification, and mitigation, is both timely and transparent.
These companies handle the administrative side of healthcare billing, from patient registration to insurance claims and payment collections. Providers use them to reduce overhead and improve payment processing.
The figure was a placeholder required by the HHS when the breach was first reported. Full file reviews often take months, especially when third-party systems are involved.
No. Affected individuals typically need to opt in to using the details provided in the notification letter. The service is offered at no cost, but enrollment is voluntary.
Yes. Under HIPAA, both covered entities and their business associates can face regulatory consequences, especially if vendor oversight is found lacking.
It’s a court-ordered requirement that a defendant take specific actions, in this case, improving data security to prevent future harm, in addition to any financial compensation awarded.