Nuance Communications, a company specializing in speech recognition and natural language processing technologies, has reported a significant data breach affecting over 1.2 million patients as a result of a large-scale cyberattack exploiting a vulnerability in MOVEit managed file transfer software, which is third-party technology used by numerous organizations.
The company has taken immediate action by notifying states of privacy breaches and sending letters to 1,225,054 individuals who may have had their personally identifiable and protected health information compromised.
Nuance disclosed that it was a victim of a data breach related to a vulnerability in Progress Software’s MOVEit managed file transfer product. Hackers exploited this vulnerability to gain unauthorized access to confidential information stored within Nuance’s MOVEit environment between May 28 and May 29. Nuance provides software services that integrate with electronic health records, speech recognition tools, and image exchange platforms used in the healthcare industry.
The breach has raised concerns about patient data security, especially given the sensitive nature of the healthcare sector. MOVEit is responsible for securing data transfers with encryption, tracking, and access controls and is hosted on Microsoft Azure.
Nuance submitted a notice of the breach to the Texas Attorney General on behalf of various organizations, including Atrium Health, Duke University Health System, Novant Health, UNC Health, and others.
Reports suggest that this cyberattack targeted more than 2,000 organizations across various sectors, including finance, government, education, and healthcare. Though a patch for the vulnerability was released shortly after the attack, the extent of the damage was substantial.
Eric Goldstein, a senior official at the U.S. Cybersecurity and Infrastructure Security Agency, noted that many organizations were able to deploy the patch before exploitation. However, the breach still affected a significant number of victims, estimated to be around 62 million individuals.
Nuance’s expertise in speech recognition and natural language processing technologies has made it a prominent player in the healthcare industry. The company’s solutions aim to reduce administrative burdens for healthcare providers and improve data exchange processes.
This cyberattack isn’t the first time Nuance has faced malware-related issues. In 2017, it was one of the U.S. companies significantly impacted by Petya/NotPetya malware attacks, which were disguised as ransomware but aimed at data disruption and destruction.
In a letter to victims in California, Nuance stated, “On July 11, 2023, Nuance confirmed as part of our investigation that, unfortunately, some of your personal information was affected by the Progress Software incident.”