NextGen Healthcare reported a data breach to the Maine inspector general’s office, confirming that attackers gained access to the private data of 1.05 million patients, including around 4,000 people from Maine.
NextGen Healthcare said in a letter to individuals impacted that criminals obtained the names, birthdates, residences, and Social Security numbers of patients.
Following a March 30 report of suspicious behavior, NextGen Healthcare said it discovered that hackers had gained access to its networks between March 29 and April 14, 2023 in a file with Maine’s AG.
According to the warning, the attackers used customer credentials that “appear to have been stolen from other sources or incidents unrelated to NextGen” to get into its NextGen Office system, a cloud-based EHR and practice management tool.
Andrade said in a statement to TechCrunch, “When we learned of the incident, we took steps to investigate and remediate, including working with leading outside cybersecurity experts and notifying law enforcement.” “We have provided them with 24 months of free fraud detection and identity theft protection,” the statement reads. “The individuals known to have been impacted by this incident were notified on April 28, 2023.”
According to sources, the ALPHV malware group, also known as BlackCat, claimed responsibility for the January ransomware attack against NextGen. The names, residences, phone numbers, and passport scans of employees are among the stolen data samples displayed on a listing on ALPHV’s dark web breach site, which TechCrunch has access to.
The discovery of NextGen’s most recent vulnerability coincides with an increase in the number of patients affected by the widespread ransomware assault that targets users of Fortra’s GoAnywhere file-transfer software.
NationBenefits, a Florida-based technology business, announced last week that data from more than 3 million members had been stolen in the incident, while Brightline, a company that offers virtual treatment for kids, reported that data from more than 960,000 of its pediatric mental health patients had also been stolen.