Nuance Notifying 14 NC Healthcare Clients of MOVEit HacksEntities Are Among Growing Tally of Health Sector Victims in Clop Mass Attack
The list of healthcare entities affected by MOVEit file transfer hacks continues to grow as Nuance Communications acknowledged that hackers had stolen data belonging to 14 of its clients, all North Carolina medical providers.
The Microsoft subsidiary on Friday reportedly began notifying patients of more than a dozen Tar Heel hospitals and other medical organizations that their personal and health-related information potentially had been compromised in hacks involving the exploitation earlier this year of a zero-day vulnerability in Progress Software's MOVEit secure file transfer software.
In a general notice posted on its website, Nuance said it uses MOVEit to exchange files with some customers and business partners. The company offers AI-driven clinical documentation and speech recognition products including Dragon Speech Recognition software.
Potentially affected information includes patients' name, physical and email address, birthdate and clinical data such as dates of services performed at particular medical facilities and practitioners' names.
Hackers also may have obtained diagnostic information including imaging reports and medication dosages.
No diagnostic images were affected, Nuance said. Also, not every affected individual had the same combination of data elements compromised, the company said.
Security firm Emsisoft on Monday estimated that to date, about 1,190 organizations and more than 56.1 million individuals have suffered data compromises caused by MOVEit hacks.
The MOVEit incidents were instigated by the Russian-speaking Clop cybercriminal group, which unleashed a highly automated mass attack around May 29, likely timed to take advantage of the U.S. Memorial Day holiday weekend. The group came into possession of a now-patched zero-day vulnerability. Some analysis suggests that Clop may have started experimenting with how to exploit the zero-day as early as 2021.
The largest known health data breach involving MOVEit involves the Colorado Department of Health Care Policy & Financing, which is notifying 4.1 million individuals that their personal information has been stolen (see: Data Theft Via MOVEit: 4.5 Million More Individuals Affected).
The Charlotte Observer on Saturday published a separate breach notice Nuance released on Friday that lists by name 14 North Carolina medical providers affected by MOVEit incidents.
Those organizations include Atrium Health, Catawba Valley Medical Center, Charlotte Radiology, Duke University Health System, DLP Central Carolina Medical Center LLC, University Health Systems of Eastern Carolina Inc. - which does business as ECU Health, FirstHealth of the Carolinas Inc., Mission Health System, Novant Health New Hanover Regional Medical Center, Novant Health Inc., UNC Health, Wake Radiology Diagnostic Imaging, WakeMed Health & Hospitals, and West Virginia University Health System.
As of Monday, none of those organizations appear to have posted their MOVEit-related incidents on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Nuance did not immediately respond to Information Security Media Group's inquiry requesting additional details, including how many individuals were affected by the North Carolina healthcare entities victimized by the MOVEit incident and whether Nuance would be issuing lists of additional medical provider clients affected in other states.