Electronic medical record software provider NextGen Healthcare has confirmed that hackers broke into its systems and stole the personal data of more than one million patients.
A total of 1,049,375 patients were affected by the attack, according to a data breach notification from the Maine Attorney General’s Office.
The notice states that the data breach occurred between March 29th and April 14th, 2023 and was discovered by the company on March 24th (although affected customers were notified on April 28th). In a sample notification letter sent on 12/03/2019, NextGen was only made aware of the breach on 30 March). .
The company said the breach was caused by unauthorized access to a database in which client credentials were allegedly stolen from other sources, as well as incidents unrelated to NextGen.
“An unidentified third party has obtained unauthorized access to a limited set of electronically stored personal information,” reads the letter. “Deep analysis of the affected information recently revealed that the electronic data accessed during the incident contained certain personally identifiable information.”
Read more about the medical data breach: KillNet Group used DDoS attacks against Azure-based medical apps
Affected information includes names, dates of birth, addresses, and social security numbers. NextGen said it had no evidence of access to or impact on users’ health and medical records.
Still, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security, the breach is likely to lead to widespread identity theft.
“Healthcare providers have long been favorite targets for cybercriminals specializing in identity theft because, first, their cybersecurity is woefully inadequate; The eye is storing the most sensitive PII. [personally identifiable information]”
Dror Liwer, co-founder of cybersecurity firm Coro, agrees with Kellermann, adding that basic password management policies and multi-factor authentication can greatly reduce the risk of credential theft and misuse. I was.
“Additionally, deploying smart, automated detection and remediation would have reduced the attacker’s window of activity to a fraction of the time patient information could be accessed,” added Liwer. .
The NextGen Healthcare data breach comes weeks after the U.S. Food and Drug Administration (FDA) issued new guidelines to increase cybersecurity levels for internet-connected products used by hospitals and healthcare providers.
