Lawsuit alleges NextGen failed to follow security guidelines for protecting data after the company said compromised credentials enabled unauthorized access to the personal information of more than 1 million people.

NextGen Healthcare, which makes and sells software for medical and other healthcare providers, is the target of a federal lawsuit charging that it was negligent in defending itself against a cyberattack that permitted hackers access to Personal Identifying Information (“PII”) of more than a million consumers.

What Information Was Compromised?

According to the lawsuit, hackers gained access to the following Personal Identifying Information:

• Name
• Date of Birth
• Address
• Social Security Number

How Did This Happen?

According to an April 28 letter sent by the electronic health record and practice management developer to affected patients, “An unknown third-party gained unauthorized access to a limited set of electronically stored personal information between March 29, 2023 and April 14, 2023.”

In one notification sent to the Maine Attorney General’s Office, the cause of the breach was said to be “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen.”

NextGen did not specify how credentials were compromised but indicated that a provider’s credentials were used. “We have determined that an unknown third party – using provider credentials that appear to have been stolen from sources or incidents unrelated to NextGen – gained unauthorized access to a limited set of personal information electronically stored on the NextGen Office system.”

Despite NextGen proclaiming that “it knew it was a target for cybersecurity criminals,” the complaint alleges it failed to meat the minimum standard of data security as set out in the National Institute of Standards and Technology Cybersecurity Framework version 1.1.

This latest incident comes only three months after NextGen reported in January that it was hit with a ransomware attack. The complaint alleges that the Atlanta-based company did not follow federal and industry guidelines for protecting data.

Why Does This Matter?

According to the Federal Trade Commission, “once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or get medical treatment on your health insurance.”

What is NextGen Doing To Protect My Identity?

According to a Company statement – “when we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement. The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection.“

Beyond resetting passwords, NextGen did not elaborate on what steps it has taken to remediate and prevent a reoccurrence.

What Are My Legal Rights?

It is important to understand your legal rights with respect to providers protecting your identity. As a result of the breach victims will now and continue to suffer economic loss and other actual harm for which they are entitled to damages, including, but not limited to, the following:

• the disclosure of confidential information to a third party with your consent;
• losing the inherent value of of their PII;
• losing the value of access to their PII permitted by NextGen;
• identity theft and fraud resulting from the theft of their PII;
• costs associated with the detection and prevention of identity theft and unauthorized use of their financial accounts;
• anxiety, emotional distress, and loss of privacy;
• the present value fo ongoing credit monitoring and identity theft protections services necessitated by NextGen’s Data Breach beyond the two years offered;
• unauthorized charges and loss of use of and access to their accounts;
• lowered credit scores resulting from the credit inquiries following fraudulent activities;
• costs associated with time spent and the loss of productivity or the enjoyment of one’s life from taking time to address and attempt to mitigate and address the actual and future consequences of the data breach, including searching for fraudulent activity, imposing withdrawal and purchase limits on compromised accounts, and stress, nuisance, and annoyance of dealing with the repercussions of the Data Breach; and
• the continued, imminent, and certainty impending injury flowing from potential fraud and identity theft posed by the PII being in the possession of one or many unauthorized third parties.

Victims should note that there may also be a significant time lag between when PII is stolen and when it is misused for fraudulent purposes. According to the Government Accountability Office, which conducted a study regarding data breaches: “law enforcement officials advise that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data has been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.“

Tags: cyber attack   data breach   Data Privacy   personal health information   Personal Identifying Information