2 Vendors Among BlackCat's Alleged Recent Ransomware Victims

Group Lists EHR Provider, Pharmaceutical Services Firm on Leak Site
2 Vendors Among BlackCat's Alleged Recent Ransomware Victims

An electronic health records vendor and a pharmacy management services firm are purportedly among the latest healthcare sector victims of ransomware-as-a-service group BlackCat, also known as Alphv.

See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction

Irvine, California-based NextGen Healthcare, which offers cloud-based EHRs, and Blanco, Texas-based PharmaCare Services, a provider of pharmacy management and consulting services, appeared on BlackCat's leak site late last week.

The site still lists PharmaCare as a victim but took down its NextGen listing for unknown reasons. The reclusive author behind DataBreaches.net wrote that BlackCat had removed its listing shortly after she confronted a spokesperson of the ransomware-as-a-service group with a statement from NextGen that it has not seen evidence of a data breach.

NextGen in a statement to Information Security Media Group confirmed it is investigating a recent data security incident but would not comment specifically on BlackCat's alleged involvement.

"NextGen Healthcare is aware of this claim and we have been working with leading cybersecurity experts to investigate and remediate," a NextGen spokesperson told ISMG.

"We immediately contained the threat, secured our network, and have returned to normal operations. Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client or patient data," the spokesperson also said.

PharmaCare did not immediately respond to ISMG's request for comment on it being listed on the BlackCat leak site.

Prior Warning

The alleged BlackCat incidents come on the heels of a recent U.S. Department of Health and Human Services warning to the healthcare sector about threats involving the cybercrime group (see: BlackCat, Royal Among Most Worrisome Threats to Healthcare).

BlackCat claims its affiliates avoid attacking state medical institutions, ambulance companies and hospitals but says pharmaceutical companies, insurers, private clinics and similar entities are fair game.

The purported BlackCat incidents involving NextGen and PharmaCare appear to fit the group's self-proclaimed interest in targeting entities on the periphery of mainstream healthcare delivery. But even these incidents can have far-reaching spillover effect on other healthcare sector entities.

"It's not only attacks on healthcare providers that have the potential to disrupt patient care and put protected health information at risk. It's also attacks on vendors," says Brett Callow, threat analyst at security firm Emsisoft.

Ransomware and other hacking incidents involving third-party vendors were the crux of many of the largest health data breaches reported to federal regulators in 2022.

Business associates last year were at the center of about 250 major health data breaches affecting 24.1 million individuals, according to the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website (see: Analysis: Third-Party Health Data Breaches Dominated in 2022).

They include a hacking incident involving another cloud-based EHR vendor, Eye Care Leaders. That incident affected dozens of the company's ophthalmology and other vision care provider clients, and more than 3 million of its patients.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.