Incident & Breach Response , Security Operations

Nuance Notifying 14 NC Healthcare Clients of MOVEit Hacks

Entities Are Among Growing Tally of Health Sector Victims in Clop Mass Attack
Nuance Notifying 14 NC Healthcare Clients of MOVEit Hacks
Nuance Communications says that 14 medical care providers in North Carolina are among its healthcare sector clients affected by MOVEit hacking incidents. (Image: Nuance, Progress Software)

The list of healthcare entities affected by MOVEit file transfer hacks continues to grow as Nuance Communications acknowledged that hackers had stolen data belonging to 14 of its clients, all North Carolina medical providers.

See Also: Top Reasons Why Legacy Data Protection Fails and What to do About It

The Microsoft subsidiary on Friday reportedly began notifying patients of more than a dozen Tar Heel hospitals and other medical organizations that their personal and health-related information potentially had been compromised in hacks involving the exploitation earlier this year of a zero-day vulnerability in Progress Software's MOVEit secure file transfer software.

In a general notice posted on its website, Nuance said it uses MOVEit to exchange files with some customers and business partners. The company offers AI-driven clinical documentation and speech recognition products including Dragon Speech Recognition software.

Potentially affected information includes patients' name, physical and email address, birthdate and clinical data such as dates of services performed at particular medical facilities and practitioners' names.

Hackers also may have obtained diagnostic information including imaging reports and medication dosages.

No diagnostic images were affected, Nuance said. Also, not every affected individual had the same combination of data elements compromised, the company said.

Security firm Emsisoft on Monday estimated that to date, about 1,190 organizations and more than 56.1 million individuals have suffered data compromises caused by MOVEit hacks.

The MOVEit incidents were instigated by the Russian-speaking Clop cybercriminal group, which unleashed a highly automated mass attack around May 29, likely timed to take advantage of the U.S. Memorial Day holiday weekend. The group came into possession of a now-patched zero-day vulnerability. Some analysis suggests that Clop may have started experimenting with how to exploit the zero-day as early as 2021.

The largest known health data breach involving MOVEit involves the Colorado Department of Health Care Policy & Financing, which is notifying 4.1 million individuals that their personal information has been stolen (see: Data Theft Via MOVEit: 4.5 Million More Individuals Affected).

The Charlotte Observer on Saturday published a separate breach notice Nuance released on Friday that lists by name 14 North Carolina medical providers affected by MOVEit incidents.

Those organizations include Atrium Health, Catawba Valley Medical Center, Charlotte Radiology, Duke University Health System, DLP Central Carolina Medical Center LLC, University Health Systems of Eastern Carolina Inc. - which does business as ECU Health, FirstHealth of the Carolinas Inc., Mission Health System, Novant Health New Hanover Regional Medical Center, Novant Health Inc., UNC Health, Wake Radiology Diagnostic Imaging, WakeMed Health & Hospitals, and West Virginia University Health System.

As of Monday, none of those organizations appear to have posted their MOVEit-related incidents on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

Nuance did not immediately respond to Information Security Media Group's inquiry requesting additional details, including how many individuals were affected by the North Carolina healthcare entities victimized by the MOVEit incident and whether Nuance would be issuing lists of additional medical provider clients affected in other states.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.