UPDATED 20:45 EST / MAY 08 2023

SECURITY

1M records stolen from electronic health software provider NextGen

NextGen Healthcare Inc., a provider of electronic health record software and practice management systems, has suffered a data breach that resulted in the theft of about 1 million individuals’ records.

In an April 28 breach notice to the Office of the Maine Attorney General, the company said the breach occurred between March 29 and April 14 before being discovered on April 24. The company described it as involving “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen.”

NextGen is describing that an attacker gained access to their systems using credentials stolen in another data breach, or in other words, one of their employees or clients was using login details on another site that they were also using on NextGen’s systems.

The information stolen included names, dates of birth, Social Security numbers and addresses. No healthcare records are believed to have been compromised. NextGen has sent notification letters to those affected by the breach, offering two years of free identity monitoring and theft protection services.

The data breach is not the first time NextGen Healthcare has been targeted by bad actors this year, with the company also being targeted in a ransomware attack in January. In that attack, the BlackCat ransomware gang obtained data from NextGen and published some of the data on its leak site in an attempt to get the company to pay a ransom.

As noted at DataBreaches at the time, the listing and sample data subsequently disappeared from BlackCat’s leak site. It’s not officially known why the data was pulled down, but data is typically pulled when a ransom is paid, though there’s no evidence the company did so.

That NextGen has been targeted again and the attack vector was a reused password are not a good look for a Nasdaq-listed company with a market cap of just over $1 billion.

“The victims in this data breach will want to keep a close eye on their personal and financial information, as even though the breach supposedly did not expose any health or medical information,” Chris Hauk, consumer privacy advocate at online privacy blog Pixel Privacy, told SiliconANGLE. “The data that was gleaned could be used to either trick the victims into providing additional information or could even be used by bad actors to extract more info about the victims from other companies.”

Image: NextGen Healthcare

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU