Federal lawsuit charges company with failure to follow federal and industry guidelines for protecting data

The Office of the Maine Attorney General was among the first to learn of the recent hack of NextGen Healthcare, Inc., self-described as “a leading provider of innovative, cloud-based healthcare technology solutions.” According to information provided to the AG’s office by NextGen counsel, the healthcare organization discovered a data breach on April 24, 2023, and on April 28 sent letters notifying affected individuals of the incident.

More than one million patients’ names, dates of birth, addresses, and Social Security numbers were compromised in the data breach, which occurred between March 29 and April 14, 2023. During this time, hackers accessed the company’s NextGen Office system using client credentials that were apparently stolen from another source(s). NextGen Office is a cloud-based electronic health records and practice management solution designed for small practices of fewer than 10 physicians.

In its role as a business associate providing services to thousands of doctors and other medical professionals, most of whom are in the United States, NextGen Healthcare maintains individual patient information on their behalf. HIPAA regulations require this information to be protected.

Healthcare Remains an Irresistible Target

According to a report published annually by IBM Security, the average cost of a healthcare data breach in 2022 was more than $10 million, up from $9.2 million in 2021. For 12 consecutive years, healthcare has led all other industries in the sheer number of data breaches, according to the report. And ransomware attacks against healthcare organizations are on the rise.

A variety of expenses can contribute to the overall cost of data breaches, including system recovery actions, network downtime, operational downtime, reputational damage, rebranding costs, lost business, victim notifications, ransom payments, civil and legal financial settlements, OCR penalties and corrective action plans, and other costs.

The HHS Office for Civil Rights (OCR) is responsible for enforcing HIPAA regulations such as the Security Rule, Privacy Rule, and Breach Notification Rule. OCR Director Melanie Fontes Rainer said in a February press release, “Hackers continue to threaten the privacy and security of patient information held by healthcare organizations, including our nation’s hospitals. It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records. This begins with understanding their risks, and taking action to prevent, respond to and combat such cyberattacks.”

Data breaches affecting more than 500 individuals must be reported to the OCR by law. As of May 10th, more than 200 security incidents were listed on the OCR report for 2023. The NextGen Healthcare data breach has not yet been listed.

Notifying OCR of the Data Breach

“When we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement,” said NextGen Healthcare spokesperson Tami Andrade in a statement.

“The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection,” said Andrade.

While these are among the first important actions NextGen needed to take, the company must also notify the HHS OCR within 60 days. Specifically, the HIPAA Breach Notification Rule requires that when a “breach of unsecured protected health information affects 500 or more individuals” a covered entity must notify OCR “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.”

For NextGen Healthcare, who discovered the breach on April 24, official notification must be submitted to the OCR not later than June 23, 2023. The notice must be submitted electronically on the OCR website, with all fields of the breach notification form completed. To ensure an accurate record, the form is amendable online as the breached company obtains new facts and corrects or updates information it submitted previously.

Details NextGen Healthcare Will Have to Share With the OCR

In addition to a variety of contact information, among the details required by the OCR are the start and end dates of the breach and of its discovery, the approximate number of individuals affected, a brief description of the breach, and information regarding notifications that have been completed. Below are the other required fields.

Type of Breach. To enable the OCR to understand the type of breach that occurred, the following choices are available: hacking/IT incident, improper disposal, loss, theft, or unauthorized access/disclosure. Instructions are provided to assist in choosing the most accurate option.

Location of Breach. This section offers a variety of choices, including desktop computer, laptop, electronic medical record, email, network server, other portable electronic device, and paper/films. There is also an “Other” category that requires detailed information.

PHI Involved in Breach. Each type of protected health information potentially affected by the breach must be identified, with choices in four categories. Clinical data includes lab results, diagnosis/conditions, medications, and other treatment information. Demographic data includes name, address/ZIP, date of birth, driver’s license, social security number, and other personal identifiers. Financial data may be information concerning claims, credit card/bank account numbers, and other financial data. A fourth category, Other, offers 4,000 characters to describe any additional information.

Safeguards in Place Prior to Breach. This section allows covered entities who have been breached to enumerate the security measures that had been implemented when the breach occurred. Choices here follow the requirements of HIPAA, including (1) Privacy Rule Safeguards (training, policies and procedures, etc.), (2) Security Rule Administrative Safeguards (risk analysis, risk management, etc.), (3) Security Rule Physical Safeguards (facility access controls, workstation security, etc.), and (4) Security Rule Technical Safeguards (access controls, transmission security, etc.). There is also a “None” option for the foolhardy.

Actions Taken in Response to the Breach. These 14 choices are intended to provide OCR with a thorough, if high-level, view of an organization’s remediation activity after a breach, as well as to prompt the reporting organization to be thorough in its response to the breach. Below are the selections available. Each should be represented in your organization’s formal Incident Response Plan.

• Adopted encryption technologies

• Changed passwords / strengthened password requirements

• Created a new/updated Security Rule risk management plan

• Implemented new technical safeguards

• Implemented periodic technical and nontechnical evaluations

• Improved physical security

• Performed new/updated Security Rule risk analysis

• Provided business associate with additional training on HIPAA requirements

• Provided individuals with free credit monitoring

• Revised business associate contracts

• Revised policies and procedures

• Sanctioned workforce members involved (including termination)

• Took steps to mitigate or limit harm

• Trained or retrained workforce members

• Other (describe, up to 4,000 characters)

What Happens Once Notification Form is Submitted to OCR

As part of its responsibility, the OCR will conduct an investigation of the NextGen Healthcare data breach, as it does with virtually all data breaches affecting more than 500 individuals. Very often, the OCR will require that a corrective action plan be developed and implemented by the healthcare provider or business associate. Typically, the OCR will monitor progress against the plan for a period of two or three years to make sure the requisite activities are taking place.

The OCR is serious about enforcing the HIPAA Security Rule. Depending on its investigative findings, the agency may impose a financial penalty, regardless of any other financial consequences the organization might have suffered. Penalties are based on several variables.

Finally, this information will be published on the OCR website and announced in a press release for public record. From the time of the original data breach to this point, it is not unusual for several years to elapse as the organization and OCR work together to identify and resolve the failures that may have contributed to the breach. For the NextGen Healthcare hack of 2023, the final press release might not be published until 2026.

Meanwhile, Lawsuits Are Piling Up

An article on May 9 in the Atlanta Journal-Constitution reported that NextGen had already become the target of a federal lawsuit, filed in a U.S. District Court in Georgia, charging that “it was negligent in defending itself against a cyberattack that permitted hackers access to information about more than a million consumers.” The complaint asserts that “the Atlanta-based company did not follow federal and industry guidelines for protecting data.”

Since then, additional lawsuits have been filed over the NextGen Healthcare hack. An article on May 12 in BloombergLaw.com noted that three new federal class action suits allege that NextGen “breached its duty to protect their information and failed to implement adequate data-security measures.”

At least five other lawsuits make similar claims on behalf of affected individuals. As time passes, no doubt other suits will be filed.

The company is no stranger to adversity. In 2018, its parent company, Quality Systems, Inc., ended five years of litigation by agreeing to pay $19 million to settle a class-action lawsuit that charged QSI with insider trading and misrepresenting financial performance. In January 2023, NextGen Healthcare is believed to have been the victim of a BlackCat ransomware attack. The U.S. Department of Health and Human Services and Federal Bureau of Investigation have issued alerts detailing the BlackCat threat since 2021.

Summary

NextGen Healthcare is a large business associate who sells cloud-based EHR and PM services to physicians and other medical professionals, primarily in the U.S. The company is governed by HIPAA regulations which the HHS Office for Civil Rights is responsible for enforcing.

In the wake of a data breach that occurred between March 29 and April 14, 2023, and affected more than one million individuals, NextGen has notified those whose names, addresses, dates of birth, and Social Security numbers were compromised. Within 60 days the company must submit a report to the OCR, who will investigate the breach to determine specific failures in compliance with HIPAA Privacy and Security Rules. A financial penalty and corrective action plan are the expected outcome of the OCR investigation into the NextGen Healthcare hack in the next several years.

In the meantime, multiple class action suits charge the company with failure to follow federal and industry guidelines for protecting data, negligence in defending itself against a cyberattack, breach of its duty to protect patient information, and failure to implement adequate data security measures. The splashy headlines were just the beginning of this ordeal for NextGen Healthcare.