Next Up, NextGen: Data Breach for EHR Giant

NextGen Healthcare, a major player in the US Electronic Health Records (EHR) market, is facing a series of lawsuits due to a significant data breach that compromised the personal information of over one million individuals. The exposed data includes names, addresses, dates of birth, and Social Security numbers. The NextGen data breach took place between March 29 and April 14, 2023, when an unauthorized third-party gained access to a limited set of personal data. 

NextGen Faces Multiple Lawsuits and Breach Fallout

Numerous law firms across the United States are now investigating the incident, particularly focusing on the vendor’s security measures that were in place at the time of the breach. Among these is Markovits, Stock & DeMarco, a law firm that specializes in class-action lawsuits, which is encouraging affected individuals to explore possible legal remedies. One class-action lawsuit, filed in Georgia by attorneys representing a New York resident, alleges that NextGen “did not follow federal and industry guidelines for protecting data” and that “all the data was vulnerable.” 

Data Breach Exposed Personal Information

In response to the NextGen data breach, the vendor stated that it found no evidence of any access or impact to patient health or medical information. After discovering the unauthorized access, NextGen engaged leading outside cybersecurity experts to conduct an in-depth investigation. The company also alerted law enforcement and notified the individuals affected by the incident, while also providing them with free credit monitoring. 

Details of the Breach and Security Review

NextGen’s breach notification submitted to the Maine attorney general’s office confirmed that an unauthorized party had accessed personal information stored in its systems, including names, dates of birth, addresses, and Social Security numbers of around one million individuals. The company confirmed to Healthcare IT News that provider credentials that may have been stolen were used to gain access to the data, but that no PHI (Protected Health Information) had been compromised. Since the NextGen data breach, the firm has reset passwords and reviewed its security. 

Ransomware Attack Details and Concerns over Compromised Credentials

nextgen data breach

It’s worth noting that in January, NextGen was a victim of the Black Cat ransomware, a strain from the ALPHV Russian ransomware group, which is considered one of the most sophisticated ransomware-as-a-service variants. Despite protective measures such as unified endpoint management and multi-factor authentication, these methods can’t necessarily protect against compromised credentials. Therefore, chief information cybersecurity officers are growing more concerned about electronic scams and insider threats than malware. 

NextGen’s Security Measures and the Industry’s Vulnerability

The NextGen data breach has brought the company’s security measures into question, despite its reputation as one of America’s Most Trustworthy Companies. NextGen has emphasized that security remains a top priority, promising comprehensive steps to investigate and remediate the incident. Nevertheless, the event highlights the rising threat of unauthorized access in the healthcare sector and should be a wake-up call to CIOs in the healthcare industry. With the increasing sophistication of hackers and the high volume of logins required in healthcare, companies like NextGen are becoming more vulnerable.