Nuance adds 1.2M patients to the MOVEit hack victims list
Nuance Communications was part of a large-scale cyberattack campaign by Clop, which exploited a flaw in MOVEit’s managed file transfer software, a third-party technology, that could have affected more than a dozen of its customers.
The company has begun filing privacy breach notices with states and has sent letters to more than 1,225,054 affected individuals stating that their personally identifiable and protected health information may have been stolen.
WHY IT MATTERS
On September 15, Nuance filed a complaint with the California Attorney General that it had suffered a data breach involving a vulnerability in Progress Software’s managed file transfer product MOVEit.
The vulnerability allowed hackers to gain unauthorized access to confidential information stored in Nuance’s MOVEit environment between May 28 and 29, the company said in a statement. letter to affected patients posted on California AG’s website.
The company provides software services that integrate with electronic health records and other systems, including speech recognition tools that automatically create clinical documentation and image exchange platforms.
MOVEit handles data transfers with encryption, tracking and access control, and runs on Microsoft Azure.
According to a press release Monday from Console & Associates, PC, Nuance has filed a notice of breach with the Texas Attorney General on behalf of the following organizations:
-
Atrium Health
-
Catawba Valley Medical Center
-
Charlotte Radiology
-
Duke University Health System
-
DLP Central Carolina Medical Center
-
ECU health
-
First Health of the Carolinas
-
Mission Health System
-
New health
-
Novant Health New Hanover Regional Medical Center
-
UNC Health
-
Diagnostic imaging in waking radiology
-
WakeMed Health & Hospitals
Last month, Reuters reported that the “hydra-headed breach” that exploited a flaw in Massachusetts-based Progress Software for MFT compromised more than 600 organizations worldwide.
However, a series of reports in recent weeks reveal that the current estimate of victims of the MOVEit protected data exfiltration attack comes from those monitoring the incident – such as the company Emsisoft and Konbriefing Research – to more than 2,000 organizations in the financial, government, education, healthcare and other sectors.
WVU Medicine in West Virginia posted rack informing patients who received radiology services through the group of hospitals that they had been exposed to the Nuance data breach. The West Virginia University Health System is the state’s largest health care system and the largest private employer with 20 hospitals, according to its website.
Although this was resolved by Progress within days, significant damage had already been done while announcements about the number of organizations affected continued.
“Many organizations were in fact able to deploy the patch before it could be exploited,” Eric Goldstein, a senior official at the US Cybersecurity and Infrastructure Security Agency, told Reuters.
The number of victims discovered so far is estimated at approximately 62 million people.
Bert Kondruss, who is a running count his company’s website lists country-by-country statistics showing that an overwhelming majority of attacks — more than 1,800 — targeted the United States, compared with two to three dozen in the United Kingdom, Germany and Canada.
While Goldstein indicated that little of the data from the Russian-backed cyber racketeering activities was leaked, Reuters reported that Clop “created websites specifically designed to better distribute stolen data” in July and soon after “began sharing the data over peer-to-peer networks.”
THE BIG TREND
Nuance, which was acquired by Microsoft in 2021 for nearly $20 billion, offers speech recognition and natural language processing technologies that can help reduce providers’ administrative burden and improve the flow of data exchanges in healthcare.
KLAS has awarded Nuance, which has customers across the healthcare ecosystem, several Best in KLAS rankings for 2023. Its cloud-based speech recognition platform Nuance Dragon Medical One was named the Speech Recognition Market Leader for the third year in a row: Front- End EMR; Nuance PowerShare took first place in the Image Exchange category for the first time; and Nuance Computer-Assisted Physician Documentation solutions scored the highest in their category in the first year.
Nuance’s handling of the large-scale MOVEit cyber attack was not the first time the company had to deal with malware. In 2017, it was among the US companies hit hard by Petya/NotPetya malware attacks, which were masked as ransomware but aimed at disrupting and destroying data.
ON THE RECORD
“On July 11, 2023, Nuance confirmed as part of our investigation that some of your personal information was unfortunately compromised in the Progress Software incident,” the company said in a letter to victims in California.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.