NextGen Healthcare, a US-based provider of electronic health record software, admitted that hackers had breached his systems and stolen the personal information of more than 1 million patients.
In a data breach notification filed with the Maine Attorney General’s office, NextGen Healthcare confirmed that hackers had access to the personal data of 1.05 million patients, including about 4,000 Maine residents. In a letter to those affected, NextGen Healthcare said hackers stole patients’ names, dates of birth, addresses and social security numbers.
“Importantly, our investigation has not revealed any evidence of any access to or impact on your health or medical records or health or medical records,” the company added. It is not yet known whether NextGen Healthcare has the resources, such as logs, to determine what data has been exfiltrated, and company spokesperson Tami Andrade did not immediately respond to TechCrunch’s questions.
In the filing with Maine’s AG, NextGen Healthcare said it was alerted to suspicious activity on March 30 and later determined that hackers accessed its systems between March 29 and April 14, 2023. The notification states that the attackers have gained access to the NextGen Office system — a cloud-based EHR and practice management solution — using customer credentials that “appear to have been stolen from other sources or incidents unrelated to NextGen”.
NextGen was also the victim of a ransomware attack in January this year reports, which was claimed by the ALPHV ransomware gang, also known as BlackCat. An entry on ALPHV’s dark web leak site, seen by TechCrunch, shows examples of the stolen data, including employee names, addresses, phone numbers and passport scans.
News of NextGen’s latest breach comes as the number of patients affected by the massive ransomware attack targeting customers who used Fortra’s GoAnywhere file transfer software continues to grow. Florida-based technology company NationBenefits confirmed last week that more than 3 million members had data stolen in the cyberattack, while Brightline, a virtual therapy provider for children, said more than 960,000 of the company’s pediatric psychiatric patients had data stolen.