Doctor holding tablet showing data breach exposed patient records

NextGen Healthcare Data Breach Leaks 1 Million Patient Records, including Social Security Numbers

A data breach on the U.S. healthcare software giant NextGen Healthcare Inc. has exposed over 1 million patient records.

According to a data breach notification filed with the Office of the Maine Attorney General, the breach occurred between March 29 and April 14.

NextGen informed its customers on April 28 that it discovered the intrusion on March 30, hired external cybersecurity experts, and notified law enforcement authorities.

Based in Atlanta, Georgia, NextGen Healthcare provides cloud-based healthcare technology solutions, including electronic health records (EHR) software and practice management solutions for healthcare professionals.

Leaked NextGen patient records excluded medical information

NextGen Healthcare estimated that the data breach exposed 1,049,375 patient records, although only a “limited set of electronically stored personal information” was accessed.

Patient records typically contain basic personal identification details, financial information, and medical and treatment history. However, the leaked patient records excluded medical information but included PII such as patient names, dates of birth, addresses, and social security numbers.

“Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data,” the company said.

Additionally, NextGen found no evidence that the threat actor had misused the exposed personal information.

Nevertheless, the electronic health systems provider said it had taken steps to protect the victims by notifying them, resetting passwords, and offering free fraud protection.

“The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection,” the company said in a statement.

Additionally, NextGen Healthcare took unspecified measures to reinforce its cyber defense to prevent a similar attack in the future.

Although the leaked patient records contained no medical information, victims were still vulnerable to other online threats.

Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, noted that “the data that was gleaned could be used to either trick the victims into providing additional information or could even be used by bad actors to extract more info about the victims from other companies.”

“This is a massive cybercrime which will result in widespread identity theft,” reiterated Tom Kellermann, SVP of Cyber Strategy at Contrast Security.

NextGen Healthcare attributes the data breach to a compromised third party

According to its ongoing investigation, NextGen Healthcare discovered that the threat actor used compromised security credentials acquired from other “sources or incidents unrelated to NextGen” to gain access.

However, Erfan Shadabi, a cybersecurity expert at Comforte AG, seemingly squarely blamed the primary organization for failing to protect patient records.

“While it appears that a third party might be culpable, this does not absolve a primary organization from ensuring that all sensitive data is fully protected at all times.”

He recommended data-centric security measures and a robust data backup strategy.

“The bare minimum of data security includes fortifying the perimeters around this type of data,” Shadabi said. “However, more effective data protection methods are readily available in the marketplace, including data-centric technologies such as tokenization and format-preserving encryption.”

The healthcare software provider has not disclosed whether any threat group has demanded a ransom.

This is the second time in less than six months that malicious actors have targeted NextGen Healthcare.

On January 17, 2023, ALPHAV/BlackCat ransomware group listed NextGen on its dark web data leak site. Back then, NextGen said it was investigating the incident but found no evidence that hackers had infiltrated its systems or exfiltrated client data.

When contacted ALPHAV/BlackCat ransomware, the group said it could only provide proof if the victim refused to pay. Shortly after, the group removed NextGen from the victim list, suggesting that either a ransom was paid or the alleged data breach was a hoax.

“Healthcare providers have long been preferred targets by Cybercriminals who specialize in identity theft due to two reasons: first, they have woeful inadequate cybersecurity, and second they store the most sensitive PII,” Kellerman added.

According to Check Point Research, the healthcare sector was a common target for cyber attacks, recording a 60% increase in 2022 and the cost of a healthcare data breach increasing by 42% in two years. Similarly, IBM’s Data Breach Report found that healthcare data breaches were the most expensive, averaging $10.10 million per attack.

“Once again, we have seen a healthcare company fall foul [to] one of the most common forms of bad cyber hygiene, and that is the re-using of passwords,” lamented Darren James, senior product manager at Specops Software.

James warned that “using the same password across multiple IT systems and services means that only one needs to be comprised” for all to be at risk.