NextGen Healthcare says hackers accessed personal data of more than 1 million patients

NextGen Healthcare, a U.S.-based provider of electronic health record software, admitted that hackers breached its systems and stole the personal data of more than 1 million patients.

In a data breach notification filed with the Maine attorney general’s office, NextGen Healthcare confirmed that hackers accessed the personal data of 1.05 million patients, including approximately 4,000 Maine residents. In a letter sent to those affected, NextGen Healthcare said that hackers stole patients’ names, dates of birth, addresses and Social Security numbers.

“Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data,” the company added. It’s not yet known whether NextGen Healthcare has the means, such as logs, to determine what data was exfiltrated and company spokesperson Tami Andrade did not immediately respond to TechCrunch’s questions.

In its filing with Maine’s AG, NextGen Healthcare said it was alerted to suspicious activity on March 30, and later determined that hackers had access to its systems between March 29 and April 14, 2023. The notification says that the attackers gained access to its NextGen Office system — a cloud-based EHR and practice management solution — using client credentials that “appear to have been stolen from other sources or incidents unrelated to NextGen”. 

NextGen was also the victim of a ransomware attack in January this year, according to reports, which was claimed by the ALPHV ransomware gang, also known as BlackCat. A listing on ALPHV’s dark web leak site, seen by TechCrunch, shows samples of the stolen data, including employee names, addresses, phone numbers, and passport scans. 

News of NextGen’s latest breach comes as the number of patients’ impacted by the mass ransomware attack targeting customers who used Fortra’s GoAnywhere file-transfer software continues to grow. Flordia-based technology company NationBenefits confirmed last week that more than 3 million members had data stolen in the cyberattack, while Brightline, a virtual therapy provider for children, said that more than 960,000 of the company’s pediatric mental health patients had data stolen.