Former Employee of Nuance Communications Stole PHI of 45,000 Patients

In a recent filing with the U.S. Securities and Exchange Commission, Burlington, MA-based Nuance Communications disclosed it experienced a data breach involving the protected health information of 45,000 individuals in December 2017.

Nuance Communications stated in its May 10, 2018 SEC filing that a third party accessed certain reports hosted on a single Nuance transcription platform, which was promptly shut down when unauthorized access was discovered. The filing states law enforcement was notified about the breach and assisted with the investigation and apprehended the individual responsible.

There is no mention of when the breach was discovered, although the company has notified all customers who used the platform to allow them to issue notifications to affected individuals.

One of those customers, The San Francisco Health Network, published a substitute breach notice on its website on May 11 providing further information on the breach.

The breach notice explains that the protected health information of 895 patients who received medical services at Zuckerberg San Francisco General Hospital or Laguna Honda Hospital was accessed between November 20 and December 9, 2017.

The types of information accessed includes names, birth dates, medical record numbers, patient numbers, and dictated notes. The notes included providers’ assessments of patients, diagnoses, dates of service, and treatment and care plans.

The law enforcement investigation uncovered the identity of the individual – a former employee of Nuance Communications – and determined that individual accessed a transcription platform without authorization. The Justice Department told the San Francisco Health Network that all stolen data have been recovered and no evidence has been found to suggest the PHI was disclosed to other individuals or used for any purpose.

The FBI and the U.S. Department of Justice requested notifications be delayed while the criminal investigation into the breach was conducted. It is unclear whether criminal charges have been filed against the individual responsible.

The SEC filing also includes details of the cost of the NotPetya wiper attack on Nuance Communications in June 2017. Most of the costs associated with the attack were covered in fiscal year 2017, which included a loss of $68 million in revenues primarily due to service disruption and reserves established for customer refund credits. The remediation and restoration efforts also cost an additional $24 million.

There attack also contributed to “a year-over-year decline in the annualized line run-rate in our on-demand healthcare solutions and in the estimated three-year value of on-demand contracts; a year-over-year decline in hosted revenue and an increase in restructuring and other charges.” Nuance Communications expects to have to cover additional costs throughout the remainder of fiscal year 2018 to enhance and upgrade its information security protections to prevent future cyberattacks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.