Paubox blog: HIPAA compliant email made easy

NextGen faces lawsuit after a massive data breach

Written by Abby Grifno | May 15, 2023

NextGen Healthcare, a US-based provider of electronic health information software, recently had a large data breach and is now facing a federal lawsuit. 

 

What happened

According to a data breach notification filed with the Maine Attorney General’s office, a hacker was able to access personal information from over a million patients across the United States. The breach allegedly occurred between March 29th and April 14th. 

Allegedly, personal information such as dates of birth, social security, and addresses was leaked, but no health or medical records were part of the breach. 

According to a local news source, one of NextGen’s responses to the breach was offering two years of free fraud detection and identity-theft protection to those affected. 

NextGen believes that the hackers used digital credentials stolen elsewhere but are still facing backlash. 

An attorney filed a complaint in the U.S. District Court for the Northern District of Georgia for New York resident Cory Benn, claiming that NextGen failed to follow federal guidelines for protecting data. 

 

Why it matters

Even though NextGen may not have been involved in how the hackers received the digital credentials, the case still shows how health companies may be found negligent if their data protection fails to follow HIPAA regulations. 

While data breaches occasionally happen at no fault of the health care company, maintaining HIPAA compliance is one of the best ways to prevent facing allegations.

Healthcare companies are also increasingly becoming a point of interest for hackers, as they are frequently viewed as more vulnerable to attack. 

Read moreNew survey reveals gap in cybersecurity implementation. 

 

What was said

In a statement released to TechCrunch, spokesperson Tami Andrade said that once they learned of the breach they “took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement.” 

Andrade stated there was “no evidence of any access or impact to any of your health or medical records or any health or medical data.” The statement acknowledged that hackers may have gained access to other private information. 

In the complaint filed, the attorneys stated that “as a result of the data breach, [impacted patients] face a substantial risk of imminent and certainly impending harm,” as well as causing anxiety and monetary costs for those affected. 

 

The bottom line

Companies like NextGen are facing heat for potentially failing to follow proper HIPAA guidelines, which can result in harsh penalties. 

Read more: HIPAA breach report for April 2023

Healthcare entities should carefully consider their process for cybersecurity protection and implementation, especially in a digital world of increasing phishing and ransomware attempts. 

Related: HIPAA complaint email: The definitive guide