Data Breaches Reported by NetGen Healthcare, NationsBenefits Holdings and Murfreesboro Medical Clinic & SurgiCenter

NetGen Healthcare Breach Impacts Over 1 Million Individuals

NextGen Healthcare has begun informing over 1 million people throughout the United States regarding a hacking incident that compromised their protected health information (PHI). NextGen Healthcare based in Atlanta, GA provides electronic health records (EHR) and practice management services to physicians and providers of ambulatory care. It detected on March 30, 2023 suspicious activity in its NextGen Office system. Third-party cybersecurity specialists performed a forensic investigation to find out the nature and extent of the data breach. The investigation showed unauthorized persons got access to the system from March 29, 2023 to April 14, 2023.

The attackers acquired access to a minimal dataset throughout that period of time. Accessed data included names, addresses, birth dates, and Social Security numbers. There is no proof found that suggests the attackers viewed patient health records or any medical information. There is likewise no report of any attempted or actual misuse of patient information. NextGen Healthcare reset passwords upon discovery of the breach. It also implemented extra security measures to reinforce security. The provider has started sending notification letters to impacted individuals and offered them free credit monitoring and identity theft protection services for two years.

The data breach is not yet posted on the HHS’ Office for Civil Rights breach website, however, it is already reported on a number of state Attorneys General websites. It was indicated on the breach notification submitted to the Maine Attorney General that 1,049,375 persons were impacted, including 3,913 residents in Maine. The breach report submitted to the Texas Attorney General indicated that 131,815 Texas residents were affected.

This is NextGen Healthcare’s second cyberattack in recent months. The first was in January 2023. The BlackCat ransomware group added NextGen to its data leak site, but the listing was removed later. Investigation of the incident revealed that no patient data was compromised or downloaded, and therefore this wasn’t considered a reportable data breach.

3 Million Record Data Breach at NationsBenefits Holdings

NationsBenefits Holdings, LLC is a company offering supplemental benefits, flex cards, and member engagement services to managed care companies and health plans. The company reported that it was impacted by the security breach associated with Fortra’s GoAnywhere MFT file transfer solution. Clop ransomware group was responsible for the attack, gaining access to NationsBenefits information on January 30, 2023, and extracting data from the GoAnywhere MFT solution. It demanded a ransom payment from the victim to stop exposing the stolen data. The group stole data from 130 organizations including NationsBenefits.

The Clop group took advantage of a formerly unknown (zero-day) vulnerability present in the GoAnywhere MFT solution, which made it possible for them to gain access and steal information from unsecured on-premises MFT servers. NationsBenefits Holdings stated the Clop ransomware group just accessed two MFT servers; nevertheless, an analysis of the records on those servers showed they included the PHI of 3,037,303 health plan members, which include but are not limited to, ACE, Aetna, Elevance Health Flexible Benefits Plan, as well as UAW Retiree Medical Benefits Trust. The breached data included: first and last name, telephone number, address, birth date, gender, Social Security number, health plan subscriber ID number, and/or Medicare number.

The security breach also affected the following healthcare organizations: Brightline (no less than 964,300 persons) and Community Health Systems (1 million persons); nevertheless, NationsBenefits is presently the worst impacted healthcare organization. A total of over 4 million persons had their PHI stolen in these attacks. NationsBenefits stated it knew about the security breach as soon as its security monitoring group got an advisory from an MFT server on February 7, 2023, revealing unauthorized access. It contacted Fortra and asked to help with the investigation. The preliminary analysis verified the access of the MFT server and the data theft. The succeeding internal investigation showed that the threat actor didn’t move into the other systems or applications of NationsBenefits.

NationsBenefits stated that before the attack, it has layered security controls set up and it has strengthened those security measures. NationsBenefits has taken its MFT servers completely offline and has switched to another file transfer solution that doesn’t depend on Fortra software. Notification letters were sent by mail to impacted persons starting on April 13, 2023. Complimentary credit monitoring services have been offered for 24 months.

Ransomware Attack Leads to 2 Week Operations Shutdown at TN Medical Clinic

Murfreesboro Medical Clinic & SurgiCenter (MMC) based in Tennessee encountered a cyberattack that compelled the healthcare company to fully close operations for about two weeks to control the attack and reestablish its IT systems. It is usual for healthcare companies to carry out an emergency network shutdown to control a cyberattack and limit the damage done, and to work following emergency protocols with personnel recording patient data by hand while systems are inaccessible. With certain attacks, ambulances are redirected to other hospitals, and a few appointments are postponed to ensure patient safety, however. the interruption brought on by this attack was a lot more extensive.

The cyberattack happened on April 22, 2023 resulting in the quick shutdown of the network to control the attack. Third-party cybersecurity specialists helped with the investigation and recovery efforts. MMC stated the quick action done following the security breach restricted the problems caused. Work continued 24/7 to securely restore systems online and improve security measures. MMC together with cybersecurity specialists and authorities inspected the incident to find out the scope of the attack, and although those procedures were done, it was decided to shut down all operations. MMC prepared to have a limited reopening on May 3, 2023, then have complete operations soon after that; nevertheless, the restoration process took more time than intended.

The MMC Pediatric and Internal & Family Walk-In Clinics located on Garrison Drive reopened on May 4, 2023, however, all other clinics were closed. On May 5, 2023, all surgical procedures in its SurgiCenter, Gastroenterology treatments, Laboratory and Radiology services did not push through, MMC Now clinics stayed closed, though telephone lines were recovered. On May 6-7, MMC Pediatrics continued regular weekend operations, however MMC Now Family Walk-In Clinics and Laboratory and Radiology services stayed shut during the weekend. On May 8, 2023, operations continued to be limited, though a few scheduled consultations went ahead as intended, though MMC Now Family Walk-In locations and lab and radiology services stayed shut.

MMC is serious about keeping sensitive patient and worker data secure, however, like a lot of other companies throughout the country and in spite of its hard work, MMC is still a hot target of criminals trying to steal personal or company information. CEO Joey Peay of MMC stated that the company worked hard to communicate shutdowns with all individuals promptly utilizing all ways of communication available.

Although the precise nature of the cyberattack is not mentioned, this is known to be a ransomware attack with data theft. The impact on patient data is under investigation and MMC will make more announcements and give notifications as required when the investigation ends.