As first reported by The HIPAA Journal, the Lincoln, Nebraska-based billing and revenue cycle provider confirmed that a March 2024 cyberattack compromised the protected health information of over 1.8 million individuals. Initially underreported with only 501 individuals listed, the updated breach report now reflects the full scale of the incident, which involved unauthorized access to systems hosted by a third-party service provider. Exposed data includes Social Security numbers, government-issued IDs, financial information, and sensitive medical and insurance records.
In March 2025, ALN began sending notification letters and offering complimentary credit monitoring and identity theft protection services. However, delays in the notification process have resulted in some affected individuals only recently being informed. State attorneys general in Massachusetts, Texas, and California have received updated notices, which list four impacted healthcare providers, although the total number of affected organizations remains unknown.
ALN Medical Management and its parent company, Health Prime International, now face a wave of class action lawsuits alleging negligence and failure to follow security best practices. Plaintiffs are seeking financial compensation, reimbursement of expenses, and court-mandated improvements to ALN’s data protection protocols. The breach highlights ongoing vulnerabilities in third-party healthcare service vendors and the cascading risks they pose to patient data security.
