NextGen Healthcare, a company based in the United States that specializes in electronic health record software, has acknowledged a security breach in which hackers infiltrated its systems and unlawfully obtained personal data belonging to over 1 million patients.
In an official data breach notification submitted to the Maine attorney general's office, NextGen Healthcare verified that hackers successfully accessed the personal information of approximately 1.05 million patients, including about 4,000 individuals residing in Maine. NextGen Healthcare sent a letter to the affected individuals, disclosing that the stolen data comprised patients' names, dates of birth, addresses, and Social Security numbers.
The company emphasized, "Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data." However, when queried by TechCrunch regarding the company's ability to determine the extent of the data exfiltration through means such as logs, NextGen Healthcare spokesperson Tami Andrade declined to provide a response.
As outlined in the filing submitted to the Maine Attorney General, NextGen Healthcare was first alerted to suspicious activities on March 30. Subsequently, the company determined that hackers had gained access to their systems between March 29 and April 14, 2023. The notification revealed that the attackers exploited NextGen Office, a cloud-based electronic health record and practice management solution, using client credentials that seemingly originated from other unrelated incidents or sources.
Andrade informed TechCrunch, "When we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement." The affected individuals were officially notified about the incident on April 28, 2023, and NextGen Healthcare has offered them 24 months of complimentary fraud detection and identity theft protection.
Earlier this year, NextGen Healthcare fell victim to a ransomware attack reportedly attributed to the ALPHV ransomware gang, also known as BlackCat. A listing found on ALPHV's dark web leak site, reviewed by TechCrunch, included samples of the compromised data, featuring employee names, addresses, phone numbers, and passport scans.
The revelation of NextGen's recent breach coincides with a surge in the number of affected patients resulting from a large-scale ransomware attack on customers of Fortra's GoAnywhere file-transfer software. NationBenefits, a Florida-based technology company, confirmed last week that over 3 million members had their data stolen in the cyberattack. Additionally, Brightline, a provider of virtual therapy services for children, disclosed that data belonging to over 960,000 pediatric mental health patients had been compromised.