ALN Medical Management, a Nebraska-based revenue cycle management firm acquired by Health Prime in 2023, suffered a March 2024 cyberattack that initially reported a HIPAA breach affecting 501 individuals but later revised the estimate to 1.8 million victims. The unauthorized actor accessed ALN’s third-party hosted systems between March 18–24, 2024, exfiltrating sensitive patient data, including names, Social Security numbers, driver’s license numbers, government-issued IDs (passports, state IDs), financial details (account/credit/debit card numbers), medical records, and health insurance information. The breach led to a $4 million class-action settlement, with eligible victims able to claim up to $5,000 for documented losses or a $50 pro rata cash payment, alongside one year of free credit and medical identity monitoring. The incident underscores the rising threat to third-party healthcare vendors, where compromised systems expose vast troves of protected health information (PHI) and personally identifiable information (PII), triggering regulatory scrutiny, financial penalties, and reputational damage. The court’s preliminary settlement hearing is pending.
Source: https://www.bankinfosecurity.com/aln-octapharma-plasma-agree-to-settle-breach-lawsuits-a-29705
TPRM report: https://www.rankiteo.com/company/aln-medical-management
"id": "aln4802448101125",
"linkid": "aln-medical-management",
"type": "Breach",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,800,000 (patients of ALN’s '
'clients)',
'industry': 'Healthcare',
'location': 'Lincoln, Nebraska, USA (acquired by '
'Health Prime, Maryland)',
'name': 'ALN Medical Management',
'type': 'Revenue Cycle Management Firm'},
{'customers_affected': '271,800',
'industry': 'Healthcare/Pharma',
'location': 'North Carolina, USA (owned by Octapharma '
'AG, Lachen, Switzerland)',
'name': 'Octapharma Plasma',
'size': '190 donation centers in 35 states',
'type': 'Pharmaceutical Manufacturer (Blood Plasma '
'Collection)'}],
'attack_vector': [{'entity': 'ALN Medical Management',
'vector': 'Third-party hosted environment compromise'},
{'entity': 'Octapharma Plasma',
'vector': 'Suspicious IT system activity (file share '
'system)'}],
'customer_advisories': [{'advisory': '1 year of complimentary credit and '
'medical identity monitoring',
'entity': 'ALN Medical Management'},
{'advisory': '3 years of complimentary credit and '
'identity monitoring, cash payments up '
'to $100 ($150 for California residents)',
'entity': 'Octapharma Plasma'}],
'data_breach': {'data_exfiltration': [{'entity': 'ALN Medical Management',
'status': 'Yes (files/folders '
'acquired)'},
{'entity': 'Octapharma Plasma',
'status': 'Yes (file share system data '
'acquired)'}],
'number_of_records_exposed': [{'entity': 'ALN Medical '
'Management',
'records': '1,800,000'},
{'entity': 'Octapharma Plasma',
'records': '271,800'}],
'personally_identifiable_information': ['Names',
'Social Security '
'Numbers',
'Driver’s License '
'Numbers',
'Government-Issued '
'IDs',
'Dates of Birth',
'Financial Account '
'Numbers',
'Health Insurance '
'Information',
'Medical Information',
'Donor Eligibility '
'Information'],
'sensitivity_of_data': 'High (PII, PHI, financial data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Financial Data']},
'date_detected': [{'date': '2024-03-18 to 2024-03-24 (unauthorized access '
'period)',
'entity': 'ALN Medical Management'},
{'date': '2024-04-17', 'entity': 'Octapharma Plasma'}],
'date_publicly_disclosed': [{'date': '2024-05 (initial HIPAA breach report)',
'entity': 'ALN Medical Management'},
{'entity': 'Octapharma Plasma'}],
'description': 'ALN Medical Management and Octapharma Plasma agreed to settle '
'class action lawsuits stemming from separate 2024 cyber '
'incidents. ALN, a revenue cycle management firm, will pay $4 '
'million for a breach affecting ~1.8 million individuals, '
'initially reported as 501 but later revised to 1.3 million. '
'Octapharma Plasma, a blood plasma manufacturer, will pay '
'$2.55 million for an April 2024 attack compromising ~272,000 '
'records. Both incidents involved unauthorized access to '
'sensitive personal and health data, with settlements offering '
'cash payments, credit monitoring, and identity protection '
'services.',
'impact': {'brand_reputation_impact': ['Class action lawsuits',
'Public disclosure of negligence '
'allegations'],
'data_compromised': [{'entity': 'ALN Medical Management',
'records': '1,800,000 (revised from 1.3M; '
'initial placeholder: 501)',
'types': ['Names',
'Social Security Numbers',
'Driver’s License Numbers',
'Government-Issued ID Numbers '
'(passports, state IDs)',
'Financial Information (account '
'numbers, credit/debit cards)',
'Medical Information',
'Health Insurance Information']},
{'entity': 'Octapharma Plasma',
'records': '271,800',
'types': ['Names',
'Dates of Birth',
'Social Security Numbers',
'Health Information',
'Donor Eligibility Information']}],
'downtime': [{'duration': 'Several weeks (2024)',
'entity': 'Octapharma Plasma'}],
'financial_loss': [{'amount': '$4,000,000 (settlement)',
'entity': 'ALN Medical Management'},
{'amount': '$2,550,000 (settlement)',
'entity': 'Octapharma Plasma'},
{'amount': "$842,000 (plaintiffs' attorney "
'fees)',
'entity': 'Octapharma Plasma'}],
'identity_theft_risk': ['High (PII/PHI exposure for both '
'entities)'],
'legal_liabilities': ['Settlement payouts ($6.55M total)',
'Potential HIPAA violations (ALN)',
'California-specific claims (Octapharma '
'Plasma)'],
'operational_impact': [{'entity': 'Octapharma Plasma',
'impact': 'Disruption of blood plasma '
'donation centers (190 centers '
'in 35 states)'}],
'payment_information_risk': [{'entity': 'ALN Medical Management',
'risk': 'Financial information '
'(account numbers, '
'credit/debit cards) '
'compromised'}],
'systems_affected': [{'entity': 'ALN Medical Management',
'systems': 'Third-party hosted environment '
'(files/folders)'},
{'entity': 'Octapharma Plasma',
'systems': 'IT systems (file share system), '
'blood collection/processing '
'operations (disrupted for '
'weeks)'}]},
'investigation_status': [{'entity': 'ALN Medical Management',
'status': 'Completed (court documents)'},
{'entity': 'Octapharma Plasma',
'status': 'Completed (FBI involved)'}],
'motivation': ['Financial Gain (class action settlements)',
'Data Theft (PII/PHI)'],
'post_incident_analysis': {'root_causes': ['Negligence in protecting '
'sensitive information (alleged in '
'lawsuits)',
'Third-party supplier '
'vulnerabilities (ALN)']},
'references': [{'source': 'Data Privacy, Data Security, Healthcare - ALN, '
'Octapharma Plasma Agree to Settle Breach Lawsuits'},
{'source': "The Healthcare CISO's Guide to Medical IoT "
'Security'},
{'source': 'Revenue Cycle Management Firm Hack Affects '
'Patients, Clients'},
{'source': 'FDA Urges Blood Suppliers to Beef Up Cyber'},
{'source': 'Suspected Attack Shuts Down US Blood Plasma '
'Donation Centers'},
{'source': 'OneBlood Agrees to Pay $1M Settlement in '
'Ransomware Hack'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuits (both '
'entities)',
'Settlement agreements ($6.55M '
'total)'],
'regulations_violated': ['HIPAA (ALN Medical '
'Management)',
'Potential state-level '
'data protection laws '
'(e.g., California for '
'Octapharma Plasma)'],
'regulatory_notifications': [{'agency': 'U.S. '
'federal '
'regulators '
'(HIPAA '
'breach '
'report)',
'entity': 'ALN '
'Medical '
'Management'},
{'agency': 'State '
'regulators',
'entity': 'Octapharma '
'Plasma'}]},
'response': {'communication_strategy': [{'actions': 'HIPAA breach '
'notification (May 2024), '
'revised victim count',
'entity': 'ALN Medical Management'},
{'actions': 'State regulator '
'notifications, breach '
'notice',
'entity': 'Octapharma Plasma'}],
'incident_response_plan_activated': [{'entity': 'ALN Medical '
'Management',
'status': 'Yes '
'(investigation '
'conducted)'},
{'entity': 'Octapharma '
'Plasma',
'status': 'Yes (FBI '
'notified, '
'investigation '
'conducted)'}],
'law_enforcement_notified': [{'agency': 'FBI',
'entity': 'Octapharma Plasma'}]},
'title': 'ALN Medical Management and Octapharma Plasma Data Breach '
'Settlements (2024)',
'type': ['Data Breach',
'Unauthorized Access',
'Class Action Lawsuit Settlement']}