Electronic health record software provider NextGen Healthcare has confirmed that hackers breached its systems and stole the personal data of more than one million patients.
According to a data breach notification from the Office of the Maine Attorney General, a total of 1,049,375 patients were affected by the attack.
The notification specifies that the data breach occurred between March 29 and April 14 2023, and was discovered by the company on March 24 (though a sample of a notification letter sent to affected customers on April 28 said NextGen only noticed the breach on March 30).
According to the company, the breach stemmed from unauthorized access to a database resulting from client credentials allegedly stolen from other sources or incidents unrelated to NextGen.
“An unknown third-party gained unauthorized access to a limited set of electronically stored personal information,” reads the letter. “As a result of our detailed analysis of the information impacted, we recently determined that certain of your personal information was included in the electronic data accessed during the incident.”
The affected information includes name, date of birth, address and social security number. NextGen said there was no evidence of any access or impact on users’ health or medical records.
Still, according to Tom Kellermann, SVP of cyber strategy at Contrast Security, the breach will likely result in widespread identity theft.
“Healthcare providers have long been preferred targets by cyber-criminals specializing in identity theft for two reasons: first, they have woefully inadequate cybersecurity, and second, they store the most sensitive PII [personally identifiable information].”
Dror Liwer, the co-founder of cybersecurity company Coro, echoed Kellermann’s view, adding that the risk of credential theft and misuse can be significantly diminished through a basic password management policy and multi-factor authentication.
“Moreover, deploying smart, automated detection and remediation would have reduced the attacker’s activity window to a fraction of the time they were able to access patient information,” Liwer added.
The NextGen Healthcare data breach comes weeks after the US Food and Drug Administration (FDA) published new guidelines to strengthen the cybersecurity levels of internet-connected products used by hospitals and healthcare providers.