Cloud-Based EHR Vendor Notifying 1 Million of Data BreachNextGen's Breach Follows Claims by BlackCat in an Alleged Earlier Incident
Cloud-based electronic health records vendor NextGen Healthcare is notifying more than 1 million individuals of a data compromise involving stolen credentials. The data breach is at least the second alleged data security incident the company has investigated since January.
NextGen in a breach report filed on May 5 to the Maine attorney general, described its most recent incident as "unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen."
NextGen's breach report to regulators last week follows a separate incident that the company was investigating in January during the time that the ransomware-as-a-service gang BlackCat - also known as Alphv - had briefly listed the company on its data leak site (see: 2 Vendors Among BlackCat's Alleged Recent Ransomware Victims).
At that time, NextGen in a statement to Information Security Media Group confirmed it was investigating a recent data security incident but would not comment specifically on BlackCat's alleged involvement.
"NextGen Healthcare is aware of this claim, and we have been working with leading cybersecurity experts to investigate and remediate," a NextGen spokesperson told ISMG at the time.
"We immediately contained the threat, secured our network and have returned to normal operations. Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client or patient data," the spokesperson told ISMG in January.
NextGen in a statement Monday to ISMG said the two hacks were separate incidents. The company did not immediately respond to ISMG's request for an update on the January incident and whether the company planned to report a breach tied to it.
Recent Breach Details
NextGen said that on March 30, it was alerted to suspicious activity on its NextGen Office system, according to its statement to ISMG. Based on its investigation so far, the company said an unknown third party had gained unauthorized access to a limited set of stored personal information between March 29 and April 14.
Affected information includes individuals' names, birthdates, addresses and Social Security numbers, the company said in a sample breach notification letter. NextGen added that it has not found evidence of health records or medical data being breached or of any information affected by the compromise being used for fraud.
"The individuals known to be impacted by this incident were notified on April 28, and we have offered them 24 months of free fraud detection and identity theft protection," NextGen told ISMG.
The company also said that upon discovering the incident, it took measures including resetting passwords and "further reinforcing" the security of its systems. NextGen is also working with law enforcement in the investigation.
Of the 198 major health data breaches affecting a total of 17.4 million individuals posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website so far in 2023, at least 75 incidents affecting 9.8 million individuals were reported as involving business associates.
That means vendors and other business associates were involved in about 38% of the major health data breaches posted so far in 2023, but those incidents were responsible for 56% of individuals affected by breaches in healthcare.
As of Monday, the recent NextGen data breach was not yet posted to the HHS Office for Civil Rights' tally.
Mike Hamilton, CEO and co-founder of security firm Critical Insight, said the recent NextGen data breach - on top of the earlier alleged BlackCat incident - appears to follow concerning healthcare sector trends.
"NextGen, as an EHR provider for many HIPAA-covered entities, presents a trove of monetizable records - whether for sale or to hold in abeyance for the purpose of extortion," he said. That makes key software and IT services vendors in the healthcare sector highly desirable targets for cybercriminals.
For healthcare sector clients of these types of critical third-party products and services, the NextGen data breach also highlights the importance of planning for and practicing response to incidents, including ransomware and similar events, he said.
"The lesson one might take from this is to lean into third-party risk management and ensure that there is adequate evidence of audited security controls, rather than simple attestation by a vendor."
Dave Bailey, vice president of security services at privacy and security consultancy Clearwater, offers a similar perspective.
"Healthcare entities should architect third-party risk management programs such that it creates a tiered approach to assessing vendors based on risk to patient safety," he said. "Top-tier and high-risk vendors must demonstrate they have effective controls in place to protect patient information and enable the success of the organization and safe and quality outcomes."
As for NextGen saying that its most recent incident appears to have involved stolen credentials, that is also a common security risk faced by many organizations, Bailey said.
"Today's adversaries are looking for and exploiting the use of stolen credentials to launch and execute their attacks," he said. "We must continue to educate and make our users and workforce aware of the importance of protecting their identity."