Data Breach Notification
,
Data Security
,
Healthcare
7 Proposed Class Actions Filed Against Allegheny Health Network and IntraSystems

A Pittsburgh-based healthcare system and its Massachusetts-based IT services vendor are already facing at least seven proposed federal class action lawsuits involving a hacking breach – reported on Jan. 17 – affecting about 293,000 people.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
Allegheny Health Network, which has 14 hospitals and more than 200 primary and specialty-care practices in more than 300 clinical locations and offices in western Pennsylvania, said an “unauthorized user” hacked IT vendor IntraSystems.
IntraSystems hosts and manages some IT systems that support AHN’s subsidiary home medical equipment and home infusion companies, AHN said.
The healthcare organization said the cybersecurity incident at IntraSystems led to unauthorized access to its computer systems beginning on Oct. 11, 2024, and ANH learned about the hack on Nov. 19, 2024.
The hacked AHN systems, hosted by IntraSystems, contained the information of patients who received services from AHN’s home medical equipment and home infusion therapy services, AHN said. “The unauthorized user was able to obtain some of this information.”
“Once discovered, immediate steps were taken to investigate and secure patient information and stop the unauthorized access to the systems and the data on them,” AHN said. “In addition to terminating the unauthorized access to the affected systems, including immediately taking those systems offline, connections with other systems were turned off to prevent additional unauthorized access. Law enforcement was also notified.”
Affected information may have included patients’ names, dates of birth, addresses, Social Security numbers, financial account numbers – but no access codes – health insurance identification numbers, health insurance information, and treatment information – including diagnoses, provider information, treatments and procedures, dates of service, prescription information, and medical device serial numbers, AHN said. “AHN is not aware of any actual or attempted identity theft or fraud as a result of this incident.”
In recent days, several other law firms have issued public statements saying they are investigating the AHN/IntraSystems incident for potential class action litigation.
As of Wednesday, at least seven proposed class action lawsuits had already been filed in Massachusetts and Pennsylvania federal courts against AHN and IntraSystems as co-defendants. The plaintiffs are making similar allegations, including negligence by the two firms in failing to secure patients’ sensitive health and personal information.
Neither AHN nor IntraSystems immediately responded to Information Security Media Group’s requests for comment and additional information about the incident, including whether a ransom was demanded or paid, and whether any other IntraSystems clients were affected by the hack.
Vendor Breaches
The IntraSystems incident is the latest of a long list of business associate breaches, including those involving an IT services vendor, affecting large numbers of patients.
As of Wednesday, the AHN/IntraSystems incident was not posted to the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
Nonetheless, so far HHS’ Office for Civil Rights breach website as of Wednesday shows 49 major health data breaches reported so far in 2025, affecting a total about 651,000 people. Of those, 32 incidents affecting nearly 470,000 people involved third-party business associates.
Last year, business associates incidents – including those involving IT services vendors – were responsible for the vast number of individuals affected by major breaches.
In 2024, as of Wednesday, the HHS OCR website showed 725 major breaches reportedly affecting more than 185.3 million people. Of those, 220 breaches were reported to involve business associates, affecting nearly 132 million people.
The HHS OCR website on Wednesday did not yet reflect the updated disclosure by IT services giant Change Healthcare late last week that its February 2024 ransomware breach affected 190 million people – up from an estimate of 100 million affected, as reported by the company in October 2024 (see: Change Healthcare Now Counts 190 Million Data Breach Victims).
Once updated to reflect Change Healthcare’s revised figures, the federal website will show at least 725 breaches affecting 275.3 million people, with 220 business associate incidents responsible for affecting 141 million individuals.