NextGen Healthcare says hackers accessed personal data of more than 1 million patients

NextGen Healthcare, a U.S.-based provider of electronic health record software, admitted that hackers breached its systems and stole the personal data of more than 1 million patients.

In a data breach notification filed with the Maine attorney general's office, NextGen Healthcare confirmed that hackers accessed the personal data of 1.05 million patients, including approximately 4,000 Maine residents. In a letter sent to those affected, NextGen Healthcare said that hackers stole patients’ names, dates of birth, addresses and Social Security numbers.

“Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data,” the company added. TechCrunch asked NextGen Healthcare whether it has the means, such as logs, to determine what data was exfiltrated, but company spokesperson Tami Andrade declined to answer.

In its filing with Maine’s AG, NextGen Healthcare said it was alerted to suspicious activity on March 30, and later determined that hackers had access to its systems between March 29 and April 14, 2023. The notification says that the attackers gained access to its NextGen Office system a cloud-based EHR and practice management solution using client credentials that “appear to have been stolen from other sources or incidents unrelated to NextGen.”

“When we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement," Andrade told TechCrunch in a statement. "The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection.”

NextGen was also the victim of a ransomware attack in January this year, according to reports, which was claimed by the ALPHV ransomware gang, also known as BlackCat. A listing on ALPHV's dark web leak site, seen by TechCrunch, shows samples of the stolen data, including employee names, addresses, phone numbers and passport scans.

News of NextGen’s latest breach comes as the number of patients impacted by the mass ransomware attack targeting customers who used Fortra’s GoAnywhere file-transfer software continues to grow. Florida-based technology company NationBenefits confirmed last week that more than 3 million members had data stolen in the cyberattack, while Brightline, a virtual therapy provider for children, said that more than 960,000 of the company’s pediatric mental health patients had data stolen.

Updated with comment from NextGen Healthcare.