Data Privacy,
Data Security,
Healthcare
Two Companies Face a Combined $6.5 Million in Class Action Settlements Post-2024 Cyber Attacks
In recent developments, ALN Medical Management, a Nebraska-based revenue cycle management firm, alongside Octapharma Plasma, a Swiss pharmaceutical company with U.S. blood plasma centers, has agreed to settle separate class action lawsuits prompted by cyberattacks that occurred in 2024. The total payout from these two incidents will amount to $6.5 million.
ALN Medical Management, owned by Maryland’s Health Prime since 2023, has consented to a $4 million settlement related to a March 2024 cyber incident initially reported as affecting 501 individuals. Revised figures, however, reveal that approximately 1.8 million patients’ data may have been compromised, marking a significant escalation from initial damage assessments. The preliminary court hearing regarding this settlement is yet to be scheduled.
Simultaneously, Octapharma Plasma faces a $2.55 million settlement aligned with litigation stemming from an April 2024 breach that disrupted its IT infrastructure. The breach was reported to have compromised personal information of nearly 272,000 individuals and affected operations at the company’s 190 donation centers across 35 states. A final hearing concerning this settlement is anticipated on December 4.
Settlement Parameters
Both class action lawsuits asserted similar claims of negligence concerning the inadequate protection of sensitive personal data. Class members from both settlements have the opportunity to file claims for documented losses up to $5,000, while alternate compensation options include fixed cash payments—estimated at $50 for ALN and up to $100 for Octapharma Plasma, with an additional $50 for California residents at the time of the hack. Both firms will also extend complimentary credit and identity monitoring services to affected individuals.
Recent Cybersecurity Trends
The breaches at ALN Medical Management and Octapharma Plasma underscore a worrying trend of increasing cyber threats targeting third-party providers within the healthcare ecosystem, potentially exploiting vulnerabilities associated with external partners. Particularly, techniques such as initial access via phishing campaigns, persistence through backdoor installations, and privilege escalation could have been employed by adversaries, as outlined in the MITRE ATT&CK framework.
For instance, unauthorized access to ALN’s systems occurred between March 18 and March 24, during which sensitive data—including names, Social Security numbers, and health information—was accessed. In contrast, Octapharma Plasma’s incident revealed that an unauthorized actor acquired a range of personal and health-related data, prompting immediate notification to the FBI.
The frequency and scale of these incidents emphasize a need for heightened vigilance among healthcare organizations and their partners, especially as cybercriminals increasingly target the systems of suppliers, undermining the integrity of patient data and operational stability.
