NextGen EHR suffers data breach

NextGen Healthcare has announced an EHR data breach that exposed personal information on more than 1 million patients. The unauthorized access took place between March 29 and April 14, 2023, allowing an unknown party to gain access to patients’ names, date of birth, addresses, and Social Security numbers. 

The event was characterized as “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen.”  

“Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data,” the company pointed out in its individual notification letter. “Furthermore, there is no evidence to suggest there has been any fraudulent use of the personal information accessed.” 

NextGen will offer two years of free fraud detection monitoring and identity theft services to the 1,049,375 individuals affected by the event.   

Since the incident, NextGen has reset passwords, reinforced other security measures, and is working with law enforcement to further investigate the occurrence, the company said. 

The breach follows swiftly on the heels of a purported ransomware attack that took place in January 2023. At the time, NextGen appeared to be hit by the suspected Russian group, BlackCat, characterized as a “relatively new but highly capable ransomware threat” by the Office of Information Security under the Department of Health and Human Services. 

According to the Washington Post, BlackCat put an alleged sample of NextGen data on its extortion site. However, the listing was later removed and NextGen does not believe any information was actually accessed by the perpetrators. 

“NextGen Healthcare is aware of this claim and we have been working with leading cybersecurity experts to investigate and remediate,” the company told the Washington Post at the time. “We immediately contained the threat, secured our network, and have returned to normal operations. Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client or patient data. The privacy and security of our client information is of the utmost importance to us.”  

Ransomware and other types of cyberattacks are all too common in healthcare, and are becoming more frequent as bad actors continually invent more sophisticated ways to get around security measures.   

The number of data breaches doubled between 2018 and 2021, HHS says, with more than 700 breaches reported in 2021 alone. Ransomware in particular has become an even more serious threat in the past few years as attackers now need less than four days, on average, to encrypt a target system – a 94 percent reduction in the time required to lock up key data and hold it hostage in exchange for currency or other demands. Some attackers can even compromise data within 30 minutes of system infection. 

Combatting an ever-changing arsenal of cyberattack weapons can be challenges for healthcare organizations, especially as threats from international hackers continue to grow.   

Organizations must identify and secure all points of entry into their digital infrastructure, including medical devices and employee email accounts that may be subject to phishing attempts. When a breach does occur, it is critical to have a rapid response plan to cordon off affected systems and/or restore access to key infrastructure to prevent disruptions in care delivery for patients.  

Taking proactive steps in risk management might not prevent all data breaches, but it can reduce the impact of these events on the organization and mitigate reputational damage that may result from experiencing a cyberattack.