NextGen sued in federal court after data breach

The complaint alleges the EHR provider failed to follow guidelines for protecting data after the company said compromised credentials enabled unauthorized access to the confidential information of more than 1 million people.
By Andrea Fox
10:00 AM

Photo by: skynesher/Getty Images

A new lawsuit against NextGen Healthcare filed in U.S. District Court for the Northern District of Georgia is class status following exposure of consumer information including Social Security numbers, names, dates of birth and addresses.

WHY IT MATTERS

According to an April 28 letter sent by the electronic health record and practice management developer to affected patients, "An unknown third-party gained unauthorized access to a limited set of electronically stored personal information between March 29, 2023 and April 14, 2023."

In one notification sent to the Maine Attorney General's Office, the cause of the breach was said to be "unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen."

Since NetGen reported the breach, law firms across the United States, such Markovits, Stock & DeMarco, which says it specializes in class-action lawsuits, have announced investigations into the vendor and encouraged affected patients to call to learn about "legal remedies." 

The Georgia suit was filed by attorneys for Cory Benn, a New York resident. The Atlanta Journal-Constitution reported Tuesday that 1,049,375 individuals were affected in the breach and that the filing claims that "all the data was vulnerable" and therefore alleges that NextGen "did not follow federal and industry guidelines for protecting data."

NextGen has not posted a statement on its website about the cybersecurity incident, but told Healthcare IT News by email that protected health information was not at risk. 

"Based on our investigation to date, there is no evidence of any access or impact to any patient health or medical information from this incident," the company said.

The vendor said it has worked with leading outside cybersecurity experts to conduct an investigation as soon as it discovered the unauthorized access.

NextGen did not specify how credentials were compromised but indicated they were a provider's credentials when we asked.

"We have determined that an unknown third party – using provider credentials that appear to have been stolen from sources or incidents unrelated to NextGen – gained unauthorized access to a limited set of personal information electronically stored on the NextGen Office system," the company told Healthcare IT News.

In January, NextGen was hit with Black Cat ransomware, a variant of the ALPHV Russian ransomware group that the Health Sector Cybersecurity Coordination Council said is one of the most sophisticated ransomware-as-a-service variants in its December analyst note.

THE LARGER TREND

While unified endpoint management can enforce password restrictions and multifactor authentication mechanisms and force users to create complex alphanumeric passcodes that do not have recurring histories, endpoint protection does not necessarily protect against compromised credentials.

That's why chief information cybersecurity officers recently surveyed by Proofpoint are concerned about electronic scams and insider threats more than they are about malware. 

In the 2023 multi-national, multi-industry annual study on their outlook for the 12 months ahead, the CISOs cited business email compromise, insider threats and cloud account compromise as top security threats.

Meanwhile, unauthorized access threats are rising with healthcare's workforce challenges, according to Joel Burleson-Davis, senior vice president of worldwide engineering, cyber at Imprivata.

"In healthcare, the number of logins to the electronic health records to access protected health information can top the millions," he told Healthcare IT News last month in a conversation about the consequences of healthcare's "termination gap" and protecting data

"That’s a lot of humans with a lot of room for error – and bad actors are all too eager to take advantage of that," Burleson-Davis said. "They have also developed more sophisticated ways of breaching inactive credentials that have not had access privileges shut off." 

Despite being attacked by malicious actors clever enough to steal credentials and gain access, EHR companies like NextGen (which the AJC noted on Tuesday was named to Newsweek’s list of America’s Most Trustworthy Companies for the second consecutive year) are vulnerable in the court of public opinion whether lawsuits are found to have merit or not. 

ON THE RECORD

"Security, in all its forms, is a top priority for NextGen Healthcare," a company spokesperson told Healthcare IT News via email.

"When we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement. The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.