The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NextGen Healthcare Facing Multiple Class Action Data Breach Lawsuits

A healthcare data breach of 1 million+ records is certain to result in multiple lawsuits, and the data breach experienced by NextGen Healthcare is no exception. The data breach was only disclosed by NextGen on May 5, but at least a dozen lawsuits have already been filed in federal court in Georgia over the breach.

The data breach was the result of a hacking incident involving stolen credentials, which allowed unauthorized individuals to access a database that contained sensitive patient data such as names, addresses, dates of birth, and Social Security numbers. The investigation determined that the credentials stolen by the hackers came from other sources and did not appear to have been stolen from NextGen. The breach was detected by NextGen on March 30, 2023, and the forensic investigation confirmed hackers had access to its network between March 29, 2023, and April 14, 2023.  This was the second data breach to be reported by NextGen this year, with the earlier incident being a BlackCat ransomware attack. NextGen told the Maine Attorney General that 1,049,375 individuals had been affected and complimentary credit monitoring services have been offered to affected individuals.

The lawsuits were all filed in the United States District Court for the Northern District of Georgia, Atlanta Division, and make similar allegations – That NextGen was negligent for failing to safeguard the sensitive data of patients. The lawsuits claim NextGen was or should have been aware of the high risk of data breaches as multiple warnings have been issued by federal agencies about cybersecurity threats targeting the healthcare sector and extensive media reports about healthcare data breaches. Further, NextGen had suffered a ransomware attack just a few weeks previously and should have known that security needed to be improved.

The lawsuits also take issue with the length of time it took to contain the breach – two weeks after the intrusion was detected, the length of time it took to issue notification letters to affected individuals, and the failure to disclose sufficient facts about the data breach in those notification letters to allow the victims to determine the level of risk they face. The lawsuits allege the victims of the breach have already suffered harm and will continue to do so, and face a continuing risk of identity theft and fraud for years to come. The lawsuits seek class action status, a jury trial, damages, legal costs, and injunctive relief, including an order from the court to prohibit NextGen from engaging in unlawful practices and for improvements to be made to its data security practices.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist