NextGen Pharma LLC

SAN FRANCISCO, May 11, 2023 /PRNewswire/ -- Schubert Jonckheer & Kolbe LLP is investigating a data breach impacting more than one million patient records in the custody of NextGen Healthcare, Inc., an electronic health record software provider. According to NextGen, the breach took place between March 29 and April 14, 2023 and involved the theft of over one million patients' names, dates of birth, addresses, and social security numbers. The company attributed the attack to an unknown third party who used stolen credentials to gain access to an internal NextGen database. If your personal information was impacted by this incident, you may be entitled to money damages and an injunction requiring changes to NextGen's security practices. If you received notification of this data breach or are a NextGen customer and wish to obtain additional information about your legal rights, please contact us today or visit our website at . About Schubert Jonckheer & Kolbe LLP Schubert Jonckheer & Kolbe represents shareholders, employees, and consumers in class actions against corporate defendants, as well as shareholders in derivative actions against their officers and directors. The firm is based in San Francisco, and with the help of co-counsel, litigates cases nationwide. SOURCE Schubert Jonckheer & Kolbe LLP

MITRE has developed a new report in response to the policy paper, Cybersecurity is Patient Safety: Policy Options in the Health Care Sector , put forth by Sen. Mark Warner, D-Va. The new MITRE whitepaper collects insights and recommendations for improving cybersecurity – and thus patient safety – across the healthcare sector. WHY IT MATTERS MITRE's Cybersecurity and Patient Safety in the Healthcare Setting report addresses the following areas: Improving our national cybersecurity risk posture in the healthcare sector. Modernizing regulatory frameworks, including HIPAA security and privacy rules, to increase cybersecurity protections. Developing the healthcare cybersecurity workforce. Improving the cybersecurity capabilities of healthcare delivery organizations. Emergency preparedness and response. Cybersecurity in the healthcare at home setting. The step-by-step report also includes links to relevant cyber frameworks and training sources. MITRE says that as a federally-funded nonprofit research organization, its subject matter and technical experts bring "a unique perspective to this space" in their work with government and healthcare stakeholders to help address threats and inform defense planning. "They identify and capture best practices for incorporating cybersecurity into the healthcare setting, fortify their institutions against cyber attacks and support the development of new cybersecurity policies to address emerging threats." THE LARGER TREND Cyberattacks that aim to shut down hospital and healthcare networks for ransom or to exfiltrate protected consumer and health data have caught the attention of policymakers. In the line of fire are both healthcare organizations and technology companies like electronic health records vendor NextGen, which was hit with both a ransomware attack in January and the recent discovery of unauthorized access that exposed the consumer data of more than one million patients . "Once a cyber-attack is confirmed it is critical for an organization to immediately respond and execute on effective playbooks and response procedures," advises Dave Bailey, vice president of security services at Clearwater. "Organizations should assume a threat actor was active on the network, one or more accounts were compromised and data was exfiltrated. A critical part of the response and mitigation is to determine the impacts and prove you are no longer under attack," he told Healthcare IT News by email Wednesday when asked about NextGen's data breach. "Healthcare entities should architect third-party risk management programs such that it creates a tiered approach to assessing vendors based on risk to patient safety. Top tier and high-risk vendors must demonstrate they have effective controls in place to protect patient information and enable the success of the organization and safe and quality outcomes," he said. ON THE RECORD "Implementing cyber hygiene practices is a shared responsibility across the federal government and private sector," MITRE's Center for Data-Driven Policy says in the report. "The technologies that are bringing new innovations to healthcare are rapidly evolving and attackers are becoming more sophisticated. The process for creating cyber hygiene practices needs to be streamlined and agile to adapt to different clinical environments and varying levels of expertise, resources and computational capabilities. These practices must also be designed to not inadvertently interfere with patient safety." Andrea Fox is senior editor of Healthcare IT News. Email: afox@himss.org Healthcare IT News is a HIMSS Media publication.

A new lawsuit against NextGen Healthcare filed in U.S. District Court for the Northern District of Georgia is class status following exposure of consumer information including Social Security numbers, names, dates of birth and addresses. WHY IT MATTERS According to an April 28 letter sent by the electronic health record and practice management developer to affected patients, "An unknown third-party gained unauthorized access to a limited set of electronically stored personal information between March 29, 2023 and April 14, 2023." In one notification sent to the Maine Attorney General's Office, the cause of the breach was said to be "unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen." Since NetGen reported the breach, law firms across the United States, such Markovits, Stock & DeMarco, which says it specializes in class-action lawsuits, have announced investigations into the vendor and encouraged affected patients to call to learn about "legal remedies." The Georgia suit was filed by attorneys for Cory Benn, a New York resident. The Atlanta Journal-Constitution reported Tuesday that 1,049,375 individuals were affected in the breach and that the filing claims that "all the data was vulnerable" and therefore alleges that NextGen "did not follow federal and industry guidelines for protecting data." NextGen has not posted a statement on its website about the cybersecurity incident, but told Healthcare IT News by email that protected health information was not at risk. "Based on our investigation to date, there is no evidence of any access or impact to any patient health or medical information from this incident," the company said. The vendor said it has worked with leading outside cybersecurity experts to conduct an investigation as soon as it discovered the unauthorized access. NextGen did not specify how credentials were compromised but indicated they were a provider's credentials when we asked. "We have determined that an unknown third party – using provider credentials that appear to have been stolen from sources or incidents unrelated to NextGen – gained unauthorized access to a limited set of personal information electronically stored on the NextGen Office system," the company told Healthcare IT News. In January, NextGen was hit with Black Cat ransomware , a variant of the ALPHV Russian ransomware group that the Health Sector Cybersecurity Coordination Council said is one of the most sophisticated ransomware-as-a-service variants in its December analyst note . THE LARGER TREND While unified endpoint management can enforce password restrictions and multifactor authentication mechanisms and force users to create complex alphanumeric passcodes that do not have recurring histories, endpoint protection does not necessarily protect against compromised credentials. That's why chief information cybersecurity officers recently surveyed by Proofpoint are concerned about electronic scams and insider threats more than they are about malware. In the 2023 multi-national, multi-industry annual study on their outlook for the 12 months ahead , the CISOs cited business email compromise, insider threats and cloud account compromise as top security threats. Meanwhile, unauthorized access threats are rising with healthcare's workforce challenges, according to Joel Burleson-Davis, senior vice president of worldwide engineering, cyber at Imprivata. "In healthcare, the number of logins to the electronic health records to access protected health information can top the millions," he told Healthcare IT News last month in a conversation about the consequences of healthcare's "termination gap" and protecting data . "That’s a lot of humans with a lot of room for error – and bad actors are all too eager to take advantage of that," Burleson-Davis said. "They have also developed more sophisticated ways of breaching inactive credentials that have not had access privileges shut off." Despite being attacked by malicious actors clever enough to steal credentials and gain access, EHR companies like NextGen (which the AJC noted on Tuesday was named to Newsweek’s list of America’s Most Trustworthy Companies for the second consecutive year) are vulnerable in the court of public opinion whether lawsuits are found to have merit or not. ON THE RECORD "Security, in all its forms, is a top priority for NextGen Healthcare," a company spokesperson told Healthcare IT News via email. "When we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement. The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection." Andrea Fox is senior editor of Healthcare IT News. Email: afox@himss.org Healthcare IT News is a HIMSS Media publication.