Nuance has added 1.2 million patients to the list of victims in the MOVEit hack, part of a global cyber campaign targeting over 2,000 organizations. The breach exposed names, Social Security numbers, and protected health information. Nuance filed a report detailing the vulnerability in Progress Software’s MOVEit product. The breach affects various sectors, including healthcare providers like WVU Medicine. Despite a patch, the number of victims continues to grow, with an estimated 62 million affected. Nuance, a key player in healthcare technology, has faced previous malware attacks and holds multiple Best in KLAS rankings for its services in 2023.
Nuance has added 1.2 million patients to the list of victims affected by the MOVEit hack. The company has taken steps to notify these patients about a data breach that potentially exposed their names, Social Security numbers, and protected health information (PHI). This breach is part of a global cyber campaign that has targeted over 2,000 organizations.
Nuance Communications was a target of the massive Clop cyberattack campaign, which exploited a vulnerability in MOVEit managed file transfer software—a third-party technology that could have impacted several of its customers. The company has initiated the process of notifying affected individuals, with more than 1,225,054 patients receiving letters informing them of the potential compromise of their personally identifiable and protected health information.
The significance of this breach lies in its scope and impact. Nuance filed a report with the Attorney General of California on September 15, revealing that the breach occurred due to a vulnerability in Progress Software’s MOVEit managed file transfer product. This vulnerability allowed hackers unauthorized access to confidential information within Nuance’s MOVEit environment on May 28 and May 29.
Nuance plays a critical role in the healthcare sector by providing software services that integrate with electronic health records, speech recognition tools for clinical documentation, and image exchange platforms. MOVEit, which controls data transfers with encryption and access controls, runs on Microsoft Azure.
Notably, Nuance has submitted breach notices to the Texas Attorney General on behalf of several organizations, including Atrium Health, Catawba Valley Medical Center, Duke University Health System, and more. The impact of the MOVEit breach extends beyond Nuance, affecting numerous organizations across various sectors.
Recent reports estimate that the number of victims affected by the MOVEit-protected data exfiltration attack has exceeded 2,000 organizations worldwide, spanning financial, government, education, healthcare, and other sectors. WVU Medicine in West Virginia is among the healthcare providers that informed patients of their exposure in the Nuance data breach, highlighting the widespread consequences of this cyberattack.
Although a patch was released by Progress Software shortly after the breach, the damage had already been done. The number of victims continues to grow, with estimates suggesting that around 62 million individuals have been affected. The majority of attacks have targeted the United States, although incidents have also occurred in the U.K., Germany, and Canada.
Nuance, known for its speech recognition and natural language processing technologies, plays a crucial role in streamlining healthcare data exchanges and reducing administrative burdens for providers. The company has received multiple Best in KLAS rankings for its services in 2023.
This cyberattack is not Nuance’s first encounter with malware, as the company faced the Petya/NotPetya malware attacks in 2017, which aimed to disrupt and destroy data.
In an official statement, Nuance confirmed the breach and expressed regret for the impact on the affected individual’s personal information, acknowledging the incident’s occurrence on July 11, 2023.