One-sentence summary:
NextGen Healthcare was breached twice in 2023, resulting in the potential breach of sensitive data for over 1 million patients and six class-action lawsuits.
Who was involved?
NextGen Healthcare, Inc., potentially 1,049,375 patients, the BlackCat ransomware group, and, potentially, another threat actor.
What was the timeline?
January 17, 2023: BlackCat posts NextGen’s leaked data on their leak portal
January 21, 2023: BlackCat removes NextGen’s leaked data
March 29, 2023: Breach starts
March 30, 2023: NextGen Healthcare detects suspicious activity
April 14, 2023: Breach ends
April 24, 2023: NextGen discovers the data breached
April 28, 2023: NextGen Healthcare notifies the Maine OAG office
May 6, 2023: Miller v. NextGen Healthcare is filed in the Northern District of Georgia
May 8, 2023: Benn v. NextGen Healthcare is filed in Atlanta federal court
May 10, 2023: Brown v. NextGen Healthcare is filed in the Northern District of Georgia (Justia, 2023)
May 11, 2023; Three additional class-action lawsuits are filed in Atlanta federal court (Brown, 2023)
What occurred?
NextGen was breached in January 2023 by the BlackCat ransomware group (Fox, 2023). BlackCat allegedly removed NextGen’s breach information from its leak portal, implying NextGen may have paid a ransom to BlackCat (Dissent, 2023). NextGen then suffers a new breach in March 2023, now potentially involving 1,049,375 patients and the following sensitive data: “name, date of birth, address, and social security number” (Rollins, 2023; NextGen Healthcare, 2023, p. 1). NextGen stressed health information was not involved in their breach notice (NextGen Healthcare, 2023, p. 1). Subsequently, numerous class-action lawsuits have been filed against NextGen (Brown, 2023).
Estimated costs:
Associated incident responses costs, breach notification costs, 24 months of Experian IdentityWorks, litigation defense
Involved laws:
Federal: Section 5 of the Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45 (Benn v. NextGen Healthcare, 2023, p. 25)
State: Maine: 10 M.R.S.A. § 1346
Georgia: Georgia Constitution’s Right to Privacy clause (Chapter 1, Article 1) (Benn v. NextGen Healthcare, 2023, p. 68)
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
Benn v. NextGen Healthcare, Inc., Docket No. 1:23-cv-02050-TWT (N.D. Ga. 2023), https://www.classaction.org/media/benn-v-nextgen-healthcare-inc.pdf.
Brown, C. (2023, May 12). NextGen Healthcare Hit With Wave of Suits Over Data Breach. Bloomberg Law. Retrieved May 12, 2023, from https://news.bloomberglaw.com/ip-law/nextgen-healthcare-hit-with-wave-of-suits-over-data-breach
Dissent. (2023, January 21). BlackCat adds NextGen to its leak site, but . . .. where did it go? DataBreaches.net. Retrieved May 13, 2023, from https://www.databreaches.net/blackcat-adds-nextgen-to-its-leak-site-but-where-did-it-go/
Fox, A. (2023, January 24). NextGen Healthcare hit by BlackCat ransomware. Healthcare IT News. Retrieved May 13, 2023, from https://www.healthcareitnews.com/news/nextgen-healthcare-hit-blackcat-ransomware
Justia. (2023, May 11). Brown v. NextGen Healthcare, Inc. Justia Dockets & Filings. Retrieved May 13, 2023, from https://dockets.justia.com/docket/georgia/gandce/1:2023cv02130/315779
Miller v. NextGen Healthcare, Inc., Docket No. 1:23-cv-02043-TWT (N.D. Ga. 2023), https://www.classaction.org/media/miller-v-nextgen-healthcare-inc.pdf.
NextGen Healthcare. (2023). NextGen Individual Notification Letter.pdf. In Data Breach Notifications. Office of the Maine Attorney General. Retrieved May 13, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/cb1d4654-0ce0-4e59-9eec-24391249e2a8/6102f57f-d60d-4b59-aa4d-7c30e68a2f68/document.html
NextGen Healthcare Inc’s creative team. (2021, November 14). English: This is the correct/updated logo for NextGen Healthcare Inc. Wikimedia Commons. https://upload.wikimedia.org/wikipedia/commons/0/03/NG_Logo_1024x768.png
Rollins, K. M. (2023). Data Breach Notifications. In Privacy, Identity Theft and Data Security Breaches. Office of the Maine Attorney General. Retrieved May 13, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/cb1d4654-0ce0-4e59-9eec-24391249e2a8.shtml