Cyberattack on Revenue Cycle Management Firm Impacts Patients and Clients

A revenue cycle management firm based in Nebraska has revealed a significant data breach from March 2024, impacting numerous individuals and several companies. ALN Medical Management, which offers billing and revenue cycle management services to healthcare organizations, is alerting tens of thousands of affected parties that their personal, health, and financial data have likely been compromised.

Initially reported to federal regulators in May 2024 as a breach affecting approximately 501 individuals—an early placeholder estimate—updates show that the U.S. Department of Health and Human Services has not yet recorded any further details about ALN’s incident in its HIPAA Breach Reporting Tool. However, more recent filings with state attorneys general indicate far higher numbers, with reports from Texas suggesting that 127,113 individuals are impacted.

The breach documents, submitted to additional states such as California and New Hampshire, currently lack specifics on the number of individuals affected in those jurisdictions. Experts in the field have raised concerns that the actual figures could be substantial, given the nature of ALN’s operations, which involve managing sensitive financial and medical records for a range of healthcare providers.

According to Mike Hamilton, the field CISO at Lumifi Cyber, ALN manages extensive records that include the financial and medical characteristics of patients. The attack appears to have exploited vulnerabilities within ALN’s third-party services, where the suspicious activity occurred. ALN’s investigation revealed unauthorized access to files between March 18 and March 24, 2024, although internal systems were reportedly unaffected.

The repercussions of this breach continue to unfold, as ALN faces several proposed federal class-action lawsuits alleging negligence and other failures related to the incident. Plaintiff Cameron Reed, leading one of the lawsuits, claims inadequate data security practices on ALN’s part and seeks financial damages along with stricter data protection measures.

The ongoing challenge of securing sensitive information through third-party vendors was underscored by regulatory attorney Paul Hales, who noted that breaches like those at ALN serve as critical reminders for healthcare providers to rigorously vet their revenue cycle management vendors. The mix of personal, financial, and medical data managed by such vendors makes them prime targets for cybercriminals, echoing the significant ransomware attack that targeted Change Healthcare earlier in 2024.

As this incident highlights, the MITRE ATT&CK framework suggests that the adversaries involved could have employed various tactics such as initial access to gain entry, and exploitation of vulnerabilities during the period of persistence in ALN’s network. The disclosure of sensitive information raises alarms regarding the broader implications for healthcare organizations, elevating the urgency for comprehensive vendor management practices to mitigate such risks effectively.

The parent company of ALN, Health Prime, has yet to provide comments or further clarification surrounding the breach. As the developments continue to emerge, vigilance in monitoring cybersecurity practices will remain paramount for businesses engaged with third-party service providers in healthcare and beyond.