Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Security

NextGen Healthcare Says Hackers Accessed Personal Data of More Than 1 Million Patients (techcrunch.com) 15

An anonymous reader quotes a report from TechCrunch: NextGen Healthcare, a U.S.-based provider of electronic health record software, admitted that hackers breached its systems and stole the personal data of more than 1 million patients. In a data breach notification filed with the Maine attorney general's office, NextGen Healthcare confirmed that hackers accessed the personal data of 1.05 million patients, including approximately 4,000 Maine residents. In a letter sent to those affected, NextGen Healthcare said that hackers stole patients' names, dates of birth, addresses and Social Security numbers. "Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data," the company added. TechCrunch asked NextGen Healthcare whether it has the means, such as logs, to determine what data was exfiltrated, but company spokesperson Tami Andrade declined to answer.

In its filing with Maine's AG, NextGen Healthcare said it was alerted to suspicious activity on March 30, and later determined that hackers had access to its systems between March 29 and April 14, 2023. The notification says that the attackers gained access to its NextGen Office system -- a cloud-based EHR and practice management solution -- using client credentials that "appear to have been stolen from other sources or incidents unrelated to NextGen." "When we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement," Andrade told TechCrunch in a statement. "The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection."
NextGen was also the victim of a ransomware attack in January this year, adds TechCrunch. The stolen data, including employee names, addresses, phone numbers and passport scans, appears to be available on the dark web.
This discussion has been archived. No new comments can be posted.

NextGen Healthcare Says Hackers Accessed Personal Data of More Than 1 Million Patients

Comments Filter:
  • 1.05 million people. Approx cost to fix your credit after stolen identity: $8500 after loss of work while fighting to get a new social, bank accounts, credit cards, etc. Cost of government to deal with all of this? I'd guess at least 10 mil. So about 8.9 billion split to the victims and 10 mil to the government. Let's just round it to 9 bil to cover any unexpected costs.
    • The good news is that, for most people, all their data is already "out there" from earlier breaches.

      Contact the credit bureaus and put a permanent security lock on your account. You are not only safer, but you'll also get a lot less junk mail.

      • by kmoser ( 1469707 )
        If only that "lock" applied to preventing the release of your data to begin with. Heck, I'd even pay for such a lock.
  • Yeah right (Score:4, Insightful)

    by TheRealMindChild ( 743925 ) on Monday May 08, 2023 @07:33PM (#63507787) Homepage Journal

    "We are so inept that we allowed your data to be stolen, BUT we are competent enough that we can tell that they didn't get access to anything important".

    My ass

    • More like:
      “We let hackers get ahold of all the data they need to steal your identity and ruin your credit, but we made sure they didn’t find out you had a colonoscopy in 2019.”
  • by cstacy ( 534252 ) on Monday May 08, 2023 @08:05PM (#63507821)

    When you fill out a HIPPA release form (which you do with every doctor), you only authorize certain information to be shared for necessary purposes.

    When I go to various departments and doctors at the hospital, I have to fill out HIPPA forms just so they (doctors at the same hospital) can see records from each other!

    So here comes NextGen Healthcare, some kind of cloud company that apparently provides medical records services for a bunch of hospitals and providers; millions of patients.

    They say the stolen credentials used to breach the system were unrelated to incidents at NextGen Healthcare.

    That suggests that they were simply the logins for some NextGen user(s), who are medical providers, I guess.

    That suggests that anyone doing business with NextGen has access to any and eveybody's info and medical records!

    You would have fantasized that in a "next generation" medical records system, the patient would have some control over their own info. In particular, the doctor's office would authorize the release only to specific entites (such as their various doctors).

    This would not include insurance companies, by the way. They would love to have your medical records, but they don't get them in general. They just see your prescriptions (not what they are for) and the specific charges for visits, procedures, etc. Not your actual medical records.

    But apparently the medical providers have no such control. Once info is uploaded to NextGen, any other customer of NextGen can see it, across all organizations.

    Furthermore, there are no access controls to prevent the downloading of millions of records.

    Either that, or their explanation is bullshit, and what really happened is that the info was not accessed through user interfaces. Rather, the credentials were the internal super-user for their entire cloud. Or perhaps they didn't even secure their cloud and left it all out for anyone who knew it was there to grab it. Then the "unrelated incident" was just someone reading an email about the provisioning for the entire NextGen cloud.

    My bet is the latter.

    • Ummm... you're making things up. From the summary: "Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data," So this isn't good at all, but it (apparently, and at least so far) has nothing to do with medical record data that falls under HIPPA.
      • by cstacy ( 534252 )

        Ummm... you're making things up. From the summary: "Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data," So this isn't good at all, but it (apparently, and at least so far) has nothing to do with medical record data that falls under HIPPA.

        I think they are incompetent and lying.
        It's up to them to prove there was no breach of the remainder of their system, even though every single patient's PPI was stolen.

  • Quid pro quo (Score:4, Insightful)

    by kmoser ( 1469707 ) on Tuesday May 09, 2023 @01:17AM (#63508117)
    Company: "Hax0rz pirated millions of our songs/videos/games. Hax0rz owes us $GAZILLIONS and should face jail time!"
    Courts: "Sounds legit. Jail time and large fine for Hax0rz!"

    Public: "Company let Hax0rz download millions of our personal records. Company owes us $GAZILLIONS and execs should face jail time!"
    Courts: "Meh."
  • by gweihir ( 88907 ) on Tuesday May 09, 2023 @01:32AM (#63508147)

    Without that, they will just pay a fine and continue their shoddy practices.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...