Cyber Incident Victim: NextGen Healthcare
Date:
Jan 2023
Location:
United States of America
Summary
NextGen Healthcare, a major electronic health record provider, experienced a cyberattack claimed by the AlphV/BlackCat ransomware group, prompting an investigation with cybersecurity experts. The company stated it contained the threat swiftly, secured its network, and restored normal operations without evidence of client data access or exfiltration. AlphV/BlackCat—a group historically linked to high-profile attacks like Colonial Pipeline and known for ransomware-as-a-service operations—typically demands multimillion-dollar cryptocurrency ransoms and has evolved through multiple rebrandings while targeting diverse sectors globally. The incident highlighted ongoing risks posed by sophisticated ransomware affiliates with extensive operational networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 17, 2023, electronic health record provider NextGen Healthcare publicly acknowledged it was responding to a cyberattack after the AlphV/BlackCat ransomware group listed the company among its victims. The multibillion-dollar firm, which supplies EHR software and practice management systems to major hospitals and clinics across the U.S., U.K., India, and Canada, initiated an investigation with cybersecurity experts upon discovering the claim. NextGen stated it had immediately contained the threat and secured its network, restoring normal operations while continuing forensic analysis. A company spokesperson emphasized no evidence of client data access or exfiltration had been identified during the ongoing review, underscoring the priority placed on protecting client information. The AlphV/BlackCat group, known for high-profile ransomware operations, had posted NextGen’s name alongside other victims on January 17, though specific intrusion methods or ransom demands related to NextGen were not disclosed in public statements.
AlphV/BlackCat, a ransomware-as-a-service (RaaS) operation active since at least 2021, was described by researchers as an evolution of earlier groups linked to the 2021 Colonial Pipeline attack using Darkside ransomware and the subsequent BlackMatter ransomware targeting agricultural firms. The FBI identified AlphV/BlackCat as the first ransomware strain to employ the RUST programming language and noted its operators typically demanded multimillion-dollar ransoms in Bitcoin and Monero, though they occasionally accepted lower payments. Historical analysis by Symantec connected the group’s developers and money launderers to prior ransomware operations like Carbanak, which targeted financial, hospitality, and retail sectors as early as 2012. Before rebranding as AlphV/BlackCat, key members faced arrests in 2018, and the group adapted its tactics to evade law enforcement scrutiny following high-impact incidents. NextGen’s incident occurred amid a broader AlphV/BlackCat campaign affecting entities such as Bandai Namco, Jakks Pacific, German oil firms, and Moncler, though NextGen maintained its systems were secured without confirmed data compromise during the initial response phase.