ALN Medical Management to Pay $4 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

ALN Medical Management, a Nebraska-based revenue cycle management company, has agreed to pay $4 million to settle class action litigation over a March 2024 cybersecurity incident. As reported below, this was a hacking incident that occurred in March 2024, which was initially reported to the HHS’ Office for Civil Rights (OCR) using a placeholder figure of at least 501 affected individuals. The breach total was then revised to more than 1.8 million individuals, and subsequently revised downwards to 1,323,720 individuals. The incident is now archived on the OCR breach portal, indicating that OCR has closed the investigation.

ALN Medical Management and its healthcare clients, Allied Physicians Group, PLLC, Bethany Medical Clinic of New York, PLLC, Hoag Clinic, and National Spine and Pain Centers, LLC, were named in class action lawsuits over the data breach, which were consolidated in a single suit, In Re: ALN Medical Management Data Incident Litigation, in the U.S. District Court for the District of Nebraska.

The lawsuit alleged that ALN Medical Management used the information technology company Long View to host, manage, and secure its IT environment against unauthorized access, and that ALN stored its healthcare clients’ data within an environment hosted, supported, and managed by Long View, which was also named as a defendant in the litigation. Between March 18, 2024, and March 24, 2024, an unauthorized third party gained access to that environment and either accessed or acquired the sensitive data of approximately 1.8 million individuals. The consolidated class action lawsuit asserted claims of negligence, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and violations of the California Consumer Privacy Act.

The defendants deny any wrongdoing, and the plaintiffs believe they have made valid claims; however, all parties quickly moved to settle the litigation, and on August 4, 2025, a settlement in principle was agreed upon. The terms of the settlement have now been finalised and await preliminary approval from the court. Under the terms of the proposed settlement, a $4 million settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the named plaintiffs. After all costs have been deducted, the remaining funds will be used to pay for benefits for the class members.

Class members may choose one of two cash payments: They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member or, alternatively, they can submit a claim for a cash payment. The cash payments are expected to be approximately $50.00 per class member, but may be adjusted upwards or downwards based on the number of valid claims received. The dates for objection, exclusion, and submitting a claim have yet to be set.

May 29, 2025: More Than 1.8 Million Individuals Affected by 2024 ALN Medical Management Data Breach

ALN Medical Management, a Lincoln, Nebraska-based provider of revenue cycle and billing services to the healthcare industry, has recently confirmed the scale of a data breach that occurred more than a year ago in March 2024. The protected health information of more than 1.8 million individuals was compromised in the incident.

On May 23, 2024, ALN Medical Management filed a breach report with the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. At the time, the investigation into the cyberattack and the review of the compromised files were ongoing. In March 2025, ALN Medical Management provided an update on the data breach, confirming that the hackers obtained files from systems hosted by a third-party service provider. The files included individuals’ names, Social Security numbers, driver’s license numbers, government-issued ID numbers, financial information (account number, credit/debit card number), medical information, and health insurance information.

ALN Medical Management started mailing notification letters to the affected individuals on March 21, 2025, and is offering them complimentary credit monitoring and identity theft protection services. The notification process has been ongoing, as there have been reports of notification letters only recently being received. The HHS’ Office for Civil Rights has been provided with an updated total, with the OCR breach portal now showing that the protected health information of 1,823,844 individuals was compromised in the incident. (Update October 2025: That total has since been revised downwards to 1,323,720 individuals.)

State attorneys general have also been provided with updated breach notices, including in Texas, California, and Massachusetts. The notification letter to the Massachusetts Attorney General lists four affected clients: National Spine and Pain in Frederick, Maryland; Inpatient Physician Associates in Lincoln, Nebraska; Hoag Clinic in Costa Mesa, California; and Allied Physicians Group of Melville, New York. It is currently unclear how many other healthcare organizations have been affected.

ALN Medical Management and its Maryland-based parent company, Health Prime International, are facing multiple class action lawsuits over the data breach, with many law firms having opened investigations into potential litigation. The lawsuits already filed allege negligence due to the failure to implement reasonable and appropriate security measures and adhere to industry standard best practices, breach of contract, and other claims. The lawsuits seek financial damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring ALN Medical Management to implement additional security measures to prevent further data breaches.

The post ALN Medical Management to Pay $4 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack

Posted by Steve Alder

On October 10, 2025, SimonMed Imaging started mailing notification letters to the individuals affected by its January 2025 cyberattack. SimonMed Imaging is one of the largest medical imaging providers in the country, operating more than 170 medical imaging facilities in 10 U.S. states. In a breach notice to the Maine Attorney General, the Scottsdale, AZ-based company confirmed that the protected health information of 1,275,669 individuals was compromised in the incident, including 22 Maine residents. The HHS’ Office for Civil Rights breach portal still lists the incident with a 500-individual placeholder figure.

The notification letters provide little extra information beyond that provided in its previous announcement, other than the fact that data theft has now been confirmed. While patient data was stolen in the attack, SimonMed Imaging said it is unaware of any misuse of the stolen data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

As previously reported, the Medusa ransomware group claimed responsibility for the attack; however, SimonMed Imaging is not currently listed on the group’s data leak site, which suggests that the ransom was paid. Regardless, the affected individuals should take advantage of the free services being offered.

Apr 2, 2025: SimonMed Imaging Confirms January 2025 Cyberattack

SimonMed Imaging has recently confirmed that it was affected by a cybersecurity incident earlier this year that involved unauthorized access to patient data via one of its vendors. The Scottsdale, Arizona-based radiology practice said that on January 27, 2025, it was alerted by one of its vendors that they were experiencing a security incident. A review was initiated of its own systems, and the following day, January 28, 2025, suspicious activity was identified within the SimonMed network. Immediate action was taken to contain the situation, and a forensic investigation was initiated to determine the extent to which systems had been compromised and the nature of the unauthorized activity.

The investigation confirmed that an unauthorized actor had direct access to its systems between January 21, 2025, and February 5, 2025. The review of the affected files is ongoing to identify the individuals who had their data exposed, but the initial findings of the investigation suggest that the following data has been exposed and potentially stolen: names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical condition information, diagnosis/ treatment information, medications, health insurance information, and driver’s license numbers. The data exposed in the incident varies from individual to individual.

SimonMed said several steps have been taken to improve security as a result of the incident, including enhancing multifactor authentication, resetting passwords, implementing endpoint detection and response monitoring, and removing all third-party vendor direct access to systems within SimonMed’s environment and all associated tools. As the investigation progresses, further technical safeguards will be implemented to bolster existing protections.

SimonMed did not state the name of the threat group behind the attack, nor was any confirmation provided on whether ransomware was used.  The Medusa ransomware group had previously claimed responsibility for the attack and said more than 212 GB of data had been infiltrated, and proof of the breach was posted on its data leak site. Medusa claimed to have demanded a $1 million ransom payment and gave a deadline of February 21, 2025, for payment to be made. At least one class action lawsuit has already been filed against SimonMed over the incident.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals.  The total will be updated when the investigation and file review have concluded.

The post SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack appeared first on The HIPAA Journal.

Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member

Posted by Steve Alder

An Iowa nurse has been terminated for a HIPAA violation and has lost her unemployment benefits after disclosing the pregnancy status of a 17-year-old patient to a family member without the patient’s consent. Erica Hulsing was a registered nurse at Waverly Health Center in Waverly, Iowa, where she had been employed since September 2016. On April 17, 2025, Hulsing received a call from a family member of a 17-year-old patient inquiring about the patient’s recent stay at the hospital.

The patient had made an explicit request for her pregnancy status to be kept confidential; however, Hulsing informed the family member that the patient had been pregnant. Following the disclosure, the patient and family members filed complaints with the hospital over the disclosure, prompting an internal investigation. The hospital determined that Hulsing had disclosed highly sensitive information about a patient to an individual who was not authorized to receive that information, as the family member was not listed on her consent form. The hospital determined that the disclosure was a violation of the HIPAA Privacy Rule, which prohibits disclosures of protected health information to unauthorized individuals. The disclosure also violated hospital policies on professional conduct, resulting in termination for gross misconduct.

HIPAA gives patients the right to request that disclosures of their health information be restricted, including disclosures of their health information to family members. While individuals under 18 years of age are considered minors, if a 17-year-old consents to treatment under state law, the Privacy Rule generally allows the minor to exercise their own privacy rights.

Hulsing maintained that she was unaware that disclosing the patient’s pregnancy status to a family member violated the HIPAA Rules. Hulsing applied for unemployment benefits while her case was under review, and she was paid $4,214 in benefits; however, last month, Administrative Law Judge Duane Golden ruled that Hulsing was not eligible to receive unemployment benefits as her actions constituted job-related misconduct, and Hulsing was ordered to repay the $4,214 she received.

Disclosing patient information to any unauthorized individual can have serious consequences for both the healthcare professional and the patient. As this case clearly demonstrates, a lack of knowledge about the requirements of HIPAA is not a valid defense against a HIPAA violation. In this case, the patient’s request for confidentiality should have been respected, and the disclosure should only have been made if the patient had consented to the disclosure and that consent had been documented.

Healthcare professionals must ensure that they are aware of the requirements of HIPAA, and should ensure that they stay up to date with state and federal laws. Healthcare providers should ensure that they provide comprehensive HIPAA training to all employees to ensure they are aware of their responsibilities under HIPAA, and should reinforce training through annual refresher training sessions to help prevent HIPAA violations in the workplace.

The post Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member appeared first on The HIPAA Journal.