NextGen Healthcare Reports Breach Affecting More than 1 Million Patients
NextGen Healthcare has started notifying more than 1 million individuals across the United States about a hacking incident that exposed their protected health information. NextGen Healthcare is an Atlanta, GA-based provider of electronic health records and practice management solutions to doctors and ambulatory care providers. On March 30, 2023, suspicious activity was detected in its NextGen Office system and third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the security breach. The investigation revealed unauthorized individuals had access to the system between March 29, 2023, and April 14, 2023.
NextGen said unauthorized individuals had access to “a limited dataset” during that period, which included protected health information such as names, addresses, dates of birth, and Social Security numbers. No evidence was found to indicate the attackers accessed patient medical records or any health or medical data and there have been no reports of any actual or attempted misuse of patient data. Passwords were reset when the breach was discovered, and additional security measures have now been implemented to strengthen security. HIPAA compliance breach notification letters have already started to be sent to affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 24 months.
The data breach has yet to appear on the HHS’ Office for Civil Rights breach portal, but is showing on the websites of several state Attorneys General. The breach notification issued to the Maine Attorney General indicates 1,049,375 individuals were affected in total, including 3,913 Maine residents. The breach was reported to the Texas Attorney General as involving the PHI of 131,815 Texas residents.
This is the second cyberattack to affect NextGen Healthcare in recent months. In January 2023, NextGen was added to the data leak site of the BlackCat ransomware group, although the listing was later taken down. The incident was investigated and a spokesman for NextGen said no patient data had been exposed or downloaded, and consequently this was not a reportable data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Ransomware Gangs Leak Albany ENT & Allergy Services Data
The BianLian and RansomHouse ransomware groups have recently added Albany ENT and Allergy Services to their data leak sites, with the latter claiming to have stolen 1 TB of data before encrypting files. According to the listings, files were encrypted on March 27, 2023; however, Albany ENT and Allergy Services has yet to announce a cyberattack on its website. The dual listings suggest that both groups have conducted an attack; although only RansomHouse has posed evidence on its data leak site to back up its claims.
An update on this incident can be found here.