Cyber Incident Victim: NextGen Healthcare

On or around March 29, 2023, unauthorized actors gained access to the systems of NextGen Healthcare, a U.S.-based provider of electronic health record software. The suspicious activity within its IT environment was detected and alerted to the company on March 30, 2023. An investigation into the incident was initiated, involving both internal resources and leading outside cybersecurity experts. Law enforcement was also notified of the breach. The forensic investigation determined that the threat actors had persistent access to the company's systems for a period of over two weeks, from March 29 through April 14, 2023.

The investigation revealed that the attackers specifically targeted and gained access to the NextGen Office system. This platform is a cloud-based electronic health record (EHR) and practice management solution used by healthcare providers. The method of intrusion involved the use of client credentials. According to NextGen Healthcare's analysis, these credentials did not originate from within its own systems but appear to have been stolen from other, unrelated sources or prior incidents external to the company.

The primary impact of this security breach was the theft of patient personal data. NextGen Healthcare confirmed in a data breach notification filed with the Maine attorney general’s office that the personal information of 1.05 million patients was accessed and exfiltrated by the hackers. The compromised data consisted of personally identifiable information, including patient names, dates of birth, addresses, and Social Security numbers. The company explicitly stated that its investigation found no evidence of any access to, or impact on, health or medical records or any clinical data, limiting the scope of the breach to demographic and identifier information.

This incident was not the first cybersecurity event for NextGen Healthcare in 2023. The company had previously been victimized in a January 2023 ransomware attack claimed by the ALPHV ransomware gang, also known as BlackCat. That earlier incident involved a different set of data, as evidenced by samples posted on the gang's dark web leak site, which included employee information such as names, addresses, phone numbers, and passport scans. The March breach was a separate incident, distinct from the January ransomware attack.

The company undertook remediation efforts upon discovery of the March breach. These steps included working to contain the incident and secure its systems from further unauthorized access. As part of its response, NextGen Healthcare began notifying individuals known to be impacted by the incident. These notifications were sent out on April 28, 2023. The notification letters provided details of the breached information and the company's response. Furthermore, NextGen Healthcare offered affected patients 24 months of free fraud detection and identity theft protection services to help mitigate potential future harm resulting from the exposure of their sensitive personal data.

The breach was disclosed publicly through regulatory filings and a subsequent news article. The filing with the Maine attorney general confirmed that approximately 4,000 of the total affected patients were residents of the state of Maine. When questioned by media, a company spokesperson, Tami Andrade, declined to answer specific inquiries regarding whether the company possessed the necessary logs to determine the exact scope of data exfiltrated during the attack. This incident occurred within a broader context of widespread cyberattacks targeting the healthcare sector, including a separate mass ransomware campaign affecting users of Fortra's GoAnywhere file-transfer software, which impacted millions of patients at other organizations.