Nuance Communications was part of a massive Clop cyberattack campaign exploiting a flaw in MOVEit managed file transfer software, a third-party technology, that could have impacted more than a dozen of its customers.
The company has started submitting notices of privacy breaches to states and has sent letters to more than 1,225,054 affected individuals telling them their personally identifiable and protected health information may have been stolen.
WHY IT MATTERS
On September 15, Nuance filed with the Attorney General of California that it was a victim of a data breach involving a vulnerability in Progress Software’s MOVEit managed file transfer product.
The vulnerability allowed hackers to gain unauthorized access to confidential information stored within Nuance’s MOVEit environment between May 28 and May 29, the company said in a letter to affected patients posted on the California AG’s website.
The company provides software services that integrate with electronic health records and other systems, including speech recognition tools that automatically create clinical documentation and image exchange platforms.
MOVEit controls data transfers with encryption, tracking and access controls, and is run on Microsoft Azure.
According to a press announcement Monday from Console & Associates, Nuance submitted a notice of the breach to the Texas Attorney General on behalf of the following organizations:
-
Atrium Health.
-
Catawba Valley Medical Center.
-
Charlotte Radiology.
-
Duke University Health System.
-
DLP Central Carolina Medical Center.
-
ECU Health.
-
FirstHealth of the Carolinas.
-
Mission Health System.
-
Novant Health.
-
Novant Health New Hanover Regional Medical Center.
-
UNC Health.
-
Wake Radiology Diagnostic Imaging.
-
WakeMed Health & Hospitals.
This past month Reuters reported that the “hydra-headed breach” that exploited a flaw in the Massachusetts-based Progress Software for MFT snared more than 600 organizations worldwide.
However, a train of reports in recent weeks put the current estimate of the MOVEit protected data exfiltration attack victims by those tracking the incident – such as the firm Emsisoft and Konbriefing Research – to more than 2,000 organizations in the financial, government, education, healthcare and other sectors.
WVU Medicine in West Virginia posted a statement informing patients who received radiology services through its group of hospitals that they were exposed in the Nuance data breach. The West Virginia University Health System is the state’s largest health system and largest private employer with 20 hospitals, according to its website.
Though a patch by Progress happened within days, significant damage had already been done. Announcements about the number of organizations affected could continue.
“Many organizations were in fact able to deploy the patch before it could be exploited,” Eric Goldstein, a senior official at the U.S. Cybersecurity and Infrastructure Security Agency, told Reuters.
The number of victims discovered to date is estimated to be somewhere around 62 million people.
Bert Kondruss, who keeps a running tally on his company’s website, has statistics by country which indicate an overwhelming majority of the attacks – more than 1,800 – were aimed at the United States, compared to two or three dozen in the U.K., Germany and Canada.
While Goldstein indicated that little of the data from the Russia-backed cyber extortionist activity has been leaked, Reuters reported that Clop “created websites specifically intended to better spread stolen data” in July and “started sharing the data via peer-to-peer networks” shortly after.
THE LARGER TREND
Nuance, which was acquired by Microsoft in 2021 for nearly $20 billion, offers speech recognition and natural language processing technologies that can help reduce provider administrative burden and improve the flow of healthcare data exchanges.
KLAS awarded Nuance, which has clients across the healthcare ecosystem, several Best in KLAS rankings for 2023. Nuance Dragon Medical One cloud-based speech recognition platform was named the market leader in Speech Recognition: Front-End EMR for the third consecutive year; Nuance PowerShare took the number one spot in the Image Exchange category for the first time; and Nuance Computer-Assisted Physician Documentation solutions scored highest in its category’s inaugural year.
Nuance’s targeting in the massive MOVEit cyberattack was not the company’s first dealing with malware. In 2017, it was one of the U.S. companies hit hard by Petya/NotPetya malware attacks, which were masked as ransomware, but were intent on the disruption and destruction of data.
ON THE RECORD
“On July 11, 2023, Nuance confirmed as part of our investigation that, unfortunately, some of your personal information was affected by the Progress Software incident,” the company said in its letter to California victims.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
