Nuance Communications Data Breach Potentially Impacts 45,000 Patients

Nuance Communications based in Burlington, MA filed with the U.S. Securities and Exchange Commission about its experience of a data breach that involved the protected health information (PHI) of 45,000 people in December 2017.

According to the May 10, 2018 SEC filing of Nuance Communications, a third party accessed certain reports that are hosted on one Nuance transcription platform. Upon discovery of this unauthorized access, the platform was promptly shut down. Nuance immediately notified law enforcement, which helped with the investigation of the breach. The individual responsible for the incident was apprehended.

The filing did not mention when the breach was discovered. But the company notified all customers using the platform so that each could notify the affected individuals. One customer is The San Francisco Health Network, which posted on May 11 a substitute breach notice on its webpage. Its breach notice mentioned that the PHI of 895 patients was accessed from November 20 to December 9, 2017. Patients affected include those that received medical services at Laguna Honda Hospital and Zuckerberg San Francisco General Hospital.

The unauthorized access exposed information including names, dates of birth, patient numbers, medical record numbers and dictated patient notes. The patient notes contain information on the providers’ assessment of patients, dates of services, diagnoses, treatment and care plans.

The law enforcement’s investigation led to the apprehension of the individual who accessed the transcription platform without proper authorization. The hacker was a former employee of Nuance Communications. The Justice Department informed San Francisco Health Network that all stolen information was recovered and there was no evidence of the disclosure or misuse of the breached PHI. Notifications were delayed as requested by the FBI and the U.S. Department of Justice to facilitate the ongoing criminal investigation. It is unknown if the hacker has been charged with a criminal lawsuit.

Included in the SEC filing was information on the cost of the NotPetya wiper attack on Nuance Communications that happened in June 2017. The company lost $68 million in revenues because of service disruption and customer refund. It also spent $24 million for remediation and restoration efforts. The cost of this breach incident was covered in fiscal year 2017. But it is expected that the company will need to cover other costs as a result of the breach including the decline in revenue and information security protection upgrade to prevent future cyberattacks.