ALN Medical Management, a Nebraska-based revenue cycle management company, has agreed to pay $4 million to settle class action litigation over a March 2024 cybersecurity incident. As reported below, this was a hacking incident that occurred in March 2024, which was initially reported to the HHS’ Office for Civil Rights (OCR) using a placeholder figure of at least 501 affected individuals. The breach total was then revised to more than 1.8 million individuals, and subsequently revised downwards to 1,323,720 individuals. The incident is now archived on the OCR breach portal, indicating that OCR has closed the investigation.

ALN Medical Management and its healthcare clients, Allied Physicians Group, PLLC, Bethany Medical Clinic of New York, PLLC, Hoag Clinic, and National Spine and Pain Centers, LLC, were named in class action lawsuits over the data breach, which were consolidated in a single suit, In Re: ALN Medical Management Data Incident Litigation, in the U.S. District Court for the District of Nebraska.

The lawsuit alleged that ALN Medical Management used the information technology company Long View to host, manage, and secure its IT environment against unauthorized access, and that ALN stored its healthcare clients’ data within an environment hosted, supported, and managed by Long View, which was also named as a defendant in the litigation. Between March 18, 2024, and March 24, 2024, an unauthorized third party gained access to that environment and either accessed or acquired the sensitive data of approximately 1.8 million individuals. The consolidated class action lawsuit asserted claims of negligence, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and violations of the California Consumer Privacy Act.

The defendants deny any wrongdoing, and the plaintiffs believe they have made valid claims; however, all parties quickly moved to settle the litigation, and on August 4, 2025, a settlement in principle was agreed upon. The terms of the settlement have now been finalised and await preliminary approval from the court. Under the terms of the proposed settlement, a $4 million settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the named plaintiffs. After all costs have been deducted, the remaining funds will be used to pay for benefits for the class members.

Class members may choose one of two cash payments: They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member or, alternatively, they can submit a claim for a cash payment. The cash payments are expected to be approximately $50.00 per class member, but may be adjusted upwards or downwards based on the number of valid claims received. The dates for objection, exclusion, and submitting a claim have yet to be set.

May 29, 2025: More Than 1.8 Million Individuals Affected by 2024 ALN Medical Management Data Breach

ALN Medical Management, a Lincoln, Nebraska-based provider of revenue cycle and billing services to the healthcare industry, has recently confirmed the scale of a data breach that occurred more than a year ago in March 2024. The protected health information of more than 1.8 million individuals was compromised in the incident.

On May 23, 2024, ALN Medical Management filed a breach report with the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. At the time, the investigation into the cyberattack and the review of the compromised files were ongoing. In March 2025, ALN Medical Management provided an update on the data breach, confirming that the hackers obtained files from systems hosted by a third-party service provider. The files included individuals’ names, Social Security numbers, driver’s license numbers, government-issued ID numbers, financial information (account number, credit/debit card number), medical information, and health insurance information.

ALN Medical Management started mailing notification letters to the affected individuals on March 21, 2025, and is offering them complimentary credit monitoring and identity theft protection services. The notification process has been ongoing, as there have been reports of notification letters only recently being received. The HHS’ Office for Civil Rights has been provided with an updated total, with the OCR breach portal now showing that the protected health information of 1,823,844 individuals was compromised in the incident. (Update October 2025: That total has since been revised downwards to 1,323,720 individuals.)

State attorneys general have also been provided with updated breach notices, including in Texas, California, and Massachusetts. The notification letter to the Massachusetts Attorney General lists four affected clients: National Spine and Pain in Frederick, Maryland; Inpatient Physician Associates in Lincoln, Nebraska; Hoag Clinic in Costa Mesa, California; and Allied Physicians Group of Melville, New York. It is currently unclear how many other healthcare organizations have been affected.

ALN Medical Management and its Maryland-based parent company, Health Prime International, are facing multiple class action lawsuits over the data breach, with many law firms having opened investigations into potential litigation. The lawsuits already filed allege negligence due to the failure to implement reasonable and appropriate security measures and adhere to industry standard best practices, breach of contract, and other claims. The lawsuits seek financial damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring ALN Medical Management to implement additional security measures to prevent further data breaches.

The post ALN Medical Management to Pay $4 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack

Posted October 13, 2025 by Steve Alder

On October 10, 2025, SimonMed Imaging started mailing notification letters to the individuals affected by its January 2025 cyberattack. SimonMed Imaging is one of the largest medical imaging providers in the country, operating more than 170 medical imaging facilities in 10 U.S. states. In a breach notice to the Maine Attorney General, the Scottsdale, AZ-based company confirmed that the protected health information of 1,275,669 individuals was compromised in the incident, including 22 Maine residents. The HHS’ Office for Civil Rights breach portal still lists the incident with a 500-individual placeholder figure.

The notification letters provide little extra information beyond that provided in its previous announcement, other than the fact that data theft has now been confirmed. While patient data was stolen in the attack, SimonMed Imaging said it is unaware of any misuse of the stolen data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

As previously reported, the Medusa ransomware group claimed responsibility for the attack; however, SimonMed Imaging is not currently listed on the group’s data leak site, which suggests that the ransom was paid. Regardless, the affected individuals should take advantage of the free services being offered.

Apr 2, 2025: SimonMed Imaging Confirms January 2025 Cyberattack

SimonMed Imaging has recently confirmed that it was affected by a cybersecurity incident earlier this year that involved unauthorized access to patient data via one of its vendors. The Scottsdale, Arizona-based radiology practice said that on January 27, 2025, it was alerted by one of its vendors that they were experiencing a security incident. A review was initiated of its own systems, and the following day, January 28, 2025, suspicious activity was identified within the SimonMed network. Immediate action was taken to contain the situation, and a forensic investigation was initiated to determine the extent to which systems had been compromised and the nature of the unauthorized activity.

The investigation confirmed that an unauthorized actor had direct access to its systems between January 21, 2025, and February 5, 2025. The review of the affected files is ongoing to identify the individuals who had their data exposed, but the initial findings of the investigation suggest that the following data has been exposed and potentially stolen: names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical condition information, diagnosis/ treatment information, medications, health insurance information, and driver’s license numbers. The data exposed in the incident varies from individual to individual.

SimonMed said several steps have been taken to improve security as a result of the incident, including enhancing multifactor authentication, resetting passwords, implementing endpoint detection and response monitoring, and removing all third-party vendor direct access to systems within SimonMed’s environment and all associated tools. As the investigation progresses, further technical safeguards will be implemented to bolster existing protections.

SimonMed did not state the name of the threat group behind the attack, nor was any confirmation provided on whether ransomware was used. The Medusa ransomware group had previously claimed responsibility for the attack and said more than 212 GB of data had been infiltrated, and proof of the breach was posted on its data leak site. Medusa claimed to have demanded a $1 million ransom payment and gave a deadline of February 21, 2025, for payment to be made. At least one class action lawsuit has already been filed against SimonMed over the incident.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals. The total will be updated when the investigation and file review have concluded.

The post SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack appeared first on The HIPAA Journal.