The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Nuance Communications: 13 Healthcare Clients In North Carolina Affected by MOVEit Hack

Posted By on Sep 19, 2023

Nuance Communications, a Microsoft-owned computer software company that provides software for sharing radiology documentation between providers, has recently confirmed it was affected by the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Nuance was notified by Progress Software on May 31, 2023, that a previously unknown vulnerability had been identified and a patch was provided to fix the issue; however, the vulnerability had already been exploited between May 28 and 29 by the Clop group.

The data stolen in the attack included the following data types: name, address, email address, birth date, gender, date(s) of service, service locations, practitioners’ names, imaging reports, diagnoses, treatments provided, medication dosages, medical record numbers or other patient identifiers, relative names, power of attorney names, health insurance numbers, diagnostic study identifiers (accession number, study UID) and patient identifiers such as medical record number. No diagnostic images were exposed.

Nuance disclosed the data breach on behalf of 13 healthcare clients:

  • Atrium Health, the Charlotte-based health care system giant.
  • Catawba Valley Medical Center in Hickory.
  • Charlotte Radiology.
  • Duke University Health System.
  • DLP Central Carolina Medical Center in Sanford.
  • Greenville-based ECU Health.
  • Pinehurst-based FirstHealth of the Carolinas.
  • Asheville-based Mission Health System.
  • Winston-Salem-based Novant Health.
  • Novant Health New Hanover Regional Medical Center in Wilmington.
  • Chapel Hill-based UNC Health.
  • Raleigh-based Wake Radiology Diagnostic Imaging.
  • Raleigh-based WakeMed Health & Hospitals

Nuance Communications reported the breach to the HHS’ Office for Civil Rights as affecting 1,225,054 individuals. St Luke’s Health System in Idaho has also confirmed that the information of 4,679 patients was also compromised in the incident at Nuance, but chose to issue its own notifications.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Indiana University Health

Indiana University Health has notified 21,383 members of its health plan that some of their protected health information was compromised when the Clop group hacked the MOVEit Transfer solution, which was used by its claims processing vendor, TMG Health. The data breach only affected IU Health Plans Medicare Advantage members. The information stolen in the attack included member names, member identification numbers, effective dates of plans, and in limited circumstances, banking account and routing numbers.

Serco Inc.

Serco Inc. Group Health Plan has confirmed the protected health information of 10,140 members of its group health plan was compromised. The MOVEit Transfer solution was used by its benefits administration services provider, CBIZ. The information compromised in the incident included names, Social Security numbers, dates of birth, addresses, Serco and/or personal e-mail addresses, and the selected health benefits for the year.

American National Group

American National Group has confirmed that it was affected by the mass exploitation of the MOVEit Transfer vulnerability on May 28, 2023. The breach affected 47,711 individuals and the information stolen included names, dates of birth, addresses, and Social Security numbers. Affected individuals have been offered 2 years of credit monitoring services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist