ALN Medical Management is reporting that 1.82 million individuals have been affected by a March 2024 data breach. ALN’s original breach report, filed in May 2024, said that 501 people had been affected. The number of victims has increased significantly in recent weeks, as ALN continues its investigation into the scope of last year’s incident.
The latest total ranks the ALN breach as the 12th largest of all 734 health data breaches reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) last year. The incident also ranks as the eighth largest of 222 health data breaches in 2024 involving HIPAA business associates.
As a third-party vendor that holds or transmits protected health information (PHI), ALN is a HIPAA business associate and is vulnerable to attack.
ALN Medical Management is Hacked
In its breach notice, ALN explained that in March 2024, it became aware of suspicious activity related to systems hosted by a third-party service provider. ALN began an investigation with the assistance of outside cybersecurity experts to determine the nature and scope of the incident.
“The investigation determined that certain files and folders within our third-party hosted environment were accessed or taken by an unauthorized actor between March 18, 2024, and March 24, 2024.”
ALN reviewed the impacted data to determine what information was compromised and to identify affected individuals.
The following types of sensitive personal and protected health information may have been compromised: individuals’ name, Social Security number, driver’s license number, government-issued ID number (e.g., passport, state ID card), financial Information (e.g., account number, credit or debit card number), medical information and health insurance information.
Class Action Lawsuits Follow
According to HealthcareInfoSecurity.com, as of May 28, 2025, ALN faced at least 16 proposed federal class action lawsuits related to the breach, alleging various claims, including negligence in failing to protect individuals’ sensitive information from theft by cybercriminals.
Revenue Cycle Management is Vulnerable to Cybercrime
The massive breach at ALN highlights the vulnerability of third-party vendors in healthcare to cybercrime.
A revenue cycle management company typically has multiple contracts with firms of all sizes across the country. It handles PHI belonging to millions of patients. All of that data is valuable to criminals, and one successful hack on one third-party vendor yields a vast trove of data.
HIPAA Risk Analysis and Risk Management
Key questions ALN will need to answer revolve around its HIPAA risk analysis.
HIPAA mandates certain safeguards to protect the privacy and security of patient data. HIPAA also requires that regulated entities conduct a risk analysis at least annually. ALN’s policies, procedures and cybersecurity practices will all be under scrutiny in a HIPAA investigation and the pending lawsuits.
If the breach happened in spite of strong compliance and cybersecurity best practices, its exposure will be much less. On the other hand, if ALN did not follow HIPAA diligently, the investigation and lawsuits may be very costly.
