More Than One Million Patients Impacted by 2023 NextGen Healthcare Data Breach, Class Actions Say

New to ClassAction.org? Read our Newswire Disclaimer

NextGen Healthcare faces at least two proposed class action lawsuits in the wake of a data breach the electronic record software company experienced between March 29 and April 14, 2023. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

One case, filed on May 8 in Georgia, says highly sensitive data belonging to at least 1,049,375 people was compromised after the systems of the cloud-based healthcare tech-solutions provider were “targeted” in the cyberattack earlier this year. The suit alleges NextGen stored consumer data, which it gathers through its doctor and medical professional clients, “in a negligent and/or reckless manner,” in particular in a condition “vulnerable to cyberattacks.” 

The lawsuits say the information exposed in the incident included consumers’ names, addresses, dates of birth and Social Security numbers, the “gold standard” of data for identity thieves. The exposed information “can, and likely will, be sold repeatedly on the dark web,” one case says. 

A lawsuit filed on May 5 says that NextGen was “alerted to suspicious activity” on or about March 30, 2023, and a subsequent investigation determined that a cybersecurity incident had occurred between March 29 and April 14.  

The suits allege NextGen failed to properly monitor its systems and train employees on cybersecurity despite being aware of the “foreseeable”—yet “highly preventable”—threat of a cyberattack.

“As a result of the Data Breach, Plaintiff and Class Members face a substantial risk of imminent and certainly impending harm,” one case warns, highlighting the risk of identity theft and fraud posed by the hackers coming into possession of consumers’ sensitive information. 

The May 8 suit says that NextGen admitted in its data breach notice letter that it reset passwords and reinforced its cybersecurity in the wake of the incident yet failed to indicate what steps, if any, the company took to protect consumers’ data going forward. 

As a HIPAA-covered associate business entity that collects and maintains significant amounts of private data, the cyberattack was a foreseeable risk to NextGen, who operates amid a healthcare industry plagued in recent years by similar targeted incidents, the cases stress. 

The Washington Post reported in January that NextGen had been hit by a ransomware attack reportedly carried out by BlackCat, a suspected Russian ransomware group. The Post wrote that BlackCat put an apparent sample of the stolen NextGen data on its extortion site, purportedly in an attempt to compel the company to pay or risk further exposure of consumer data, but later “took down the NextGen listing.”

The lawsuits look to cover all individuals NextGen identified as among those who were impacted by the 2023 data breach, including those who received notice about the incident. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.