NextGen Healthcare Loses Personal Data of 1M People in Second Data Breach This Year

Hackers stole the personal information, including Social Security numbers, of at least a million people from NextGen Healthcare, an SaaS that develops electronic health records on practice management systems for the healthcare industry, according to a disclosure filed with the Attorney General of Maine.

The disclosure filed by NextGen said the breach was detected April 24, 2023 and occurred between 3/29/23 and 4/14/23. The hackers gained entry using stolen personal identifications to gain entry to the NextGen Healthcare system. NextGen Healthcare told the AG’s office that hackers gained access to its system using client credentials that “appear to have been stolen from other sources or incidents unrelated to NextGen.”

The NextGen breach poses a major threat to its victims, said Tom Kellermann, senior vice president of cyber strategy at Contrast Security, in a statement provided to the cybersecurity news site Dark Reading.

“This is a massive cybercrime which will result in widespread identity theft,” Kellermann said to Dark Reading. “Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII.”

NextGen Healthcare was the target of a previous breach in January of the year by the ransomware gang known as BlackCat, according to the news site DataBreaches.net. BlackCat briefly “listed” photos of a sample of the data taken from NextGen Healthcare, but soon removed the images without explanation. A threat assessment by the Department of Homeland Security described BlackCat as a “relatively new but highly-capable ransomware threat to the health sector.”

The most recent data breach has already prompted a lawsuit against NextGen Health. NextGen Healthcare issued a statement saying that only a “limited set of personal information” was lost in the breach.

“There was unauthorized access to a limited set of personal information, however there is no evidence of any access or impact to any patient health or medical information from this incident,” said a spokeswoman for NextGen. “The individuals known to be impacted by this incident were notified on April 28.”