Nuance Communications: 13 Healthcare Clients In North Carolina Affected by MOVEit Hack
Nuance Communications, a Microsoft-owned computer software company that provides software for sharing radiology documentation between providers, has recently confirmed it was affected by the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Nuance was notified by Progress Software on May 31, 2023, that a previously unknown vulnerability had been identified and a patch was provided to fix the issue; however, the vulnerability had already been exploited between May 28 and 29 by the Clop group.
The data stolen in the attack included the following data types: name, address, email address, birth date, gender, date(s) of service, service locations, practitioners’ names, imaging reports, diagnoses, treatments provided, medication dosages, medical record numbers or other patient identifiers, relative names, power of attorney names, health insurance numbers, diagnostic study identifiers (accession number, study UID) and patient identifiers such as medical record number. No diagnostic images were exposed.
Nuance disclosed the data breach on behalf of 13 healthcare clients:
- Atrium Health, the Charlotte-based health care system giant.
- Catawba Valley Medical Center in Hickory.
- Charlotte Radiology.
- Duke University Health System.
- DLP Central Carolina Medical Center in Sanford.
- Greenville-based ECU Health.
- Pinehurst-based FirstHealth of the Carolinas.
- Asheville-based Mission Health System.
- Winston-Salem-based Novant Health.
- Novant Health New Hanover Regional Medical Center in Wilmington.
- Chapel Hill-based UNC Health.
- Raleigh-based Wake Radiology Diagnostic Imaging.
- Raleigh-based WakeMed Health & Hospitals
Nuance Communications reported the breach to the HHS’ Office for Civil Rights as affecting 1,225,054 individuals. St Luke’s Health System in Idaho has also confirmed that the information of 4,679 patients was also compromised in the incident at Nuance, but chose to issue its own notifications.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Indiana University Health
Indiana University Health has notified 21,383 members of its health plan that some of their protected health information was compromised when the Clop group hacked the MOVEit Transfer solution, which was used by its claims processing vendor, TMG Health. The data breach only affected IU Health Plans Medicare Advantage members. The information stolen in the attack included member names, member identification numbers, effective dates of plans, and in limited circumstances, banking account and routing numbers.
Serco Inc.
Serco Inc. Group Health Plan has confirmed the protected health information of 10,140 members of its group health plan was compromised. The MOVEit Transfer solution was used by its benefits administration services provider, CBIZ. The information compromised in the incident included names, Social Security numbers, dates of birth, addresses, Serco and/or personal e-mail addresses, and the selected health benefits for the year.
American National Group
American National Group has confirmed that it was affected by the mass exploitation of the MOVEit Transfer vulnerability on May 28, 2023. The breach affected 47,711 individuals and the information stolen included names, dates of birth, addresses, and Social Security numbers. Affected individuals have been offered 2 years of credit monitoring services.