NextGen Healthcare Inc., a provider of electronic health record software and practice management systems, has suffered a data breach that resulted in the theft of about 1 million individuals’ records.

In an April 28 breach notice to the Office of the Maine Attorney General, the company said the breach occurred between March 29 and April 14 before being discovered on April 24. The company described it as involving “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen.”

NextGen is describing that an attacker gained access to their systems using credentials stolen in another data breach, or in other words, one of their employees or clients was using login details on another site that they were also using on NextGen’s systems.

The information stolen included names, dates of birth, Social Security numbers and addresses. No healthcare records are believed to have been compromised. NextGen has sent notification letters to those affected by the breach, offering two years of free identity monitoring and theft protection services.

The data breach is not the first time NextGen Healthcare has been targeted by bad actors this year, with the company also being targeted in a ransomware attack in January. In that attack, the BlackCat ransomware gang obtained data from NextGen and published some of the data on its leak site in an attempt to get the company to pay a ransom.

As noted at DataBreaches at the time, the listing and sample data subsequently disappeared from BlackCat’s leak site. It’s not officially known why the data was pulled down, but data is typically pulled when a ransom is paid, though there’s no evidence the company did so.

That NextGen has been targeted again and the attack vector was a reused password are not a good look for a Nasdaq-listed company with a market cap of just over $1 billion.

“The victims in this data breach will want to keep a close eye on their personal and financial information, as even though the breach supposedly did not expose any health or medical information,” Chris Hauk, consumer privacy advocate at online privacy blog Pixel Privacy, told SiliconANGLE. “The data that was gleaned could be used to either trick the victims into providing additional information or could even be used by bad actors to extract more info about the victims from other companies.”

Image: NextGen Healthcare