NextGen Healthcare, a provider of electronic health record software and practice management systems, has suffered a data breach that resulted in the theft of about one million records.
NextGen said the breach occurred between March 29 and April 14 and discovered on April 24. It is described as involving unauthorized access to database stemming from the use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen.
NextGen is describing that an attacker gained access to their systems using credentials stolen in another data breach, or in other words, one of their employees or clients was using login details on another site that they were also using on NextGen’s systems.
The information stolen included names, dates of birth, Social Security numbers and addresses. No healthcare records are believed to have been compromised. NextGen has sent notification letters to those affected by the breach, offering two years of free identity monitoring and theft protection services.
The data breach is not the first time NextGen Healthcare has been targeted by bad actors this year in January. In that attack, the BlackCat ransomware gang obtained data from NextGen and published some of the data on its leak site in an attempt to get the company to pay a ransom.
That NextGen has been targeted again, and the attack vector was a reused password that shows that the defense in depth strategy needs to be followed strictly with security hardening guidelines.