Ex-Worker of Nuance Communications Thieved PHI of 45,000 Patients

May 18, 2018

In the latest filing with the U.S. Securities and Exchange Commission, Burlington, MA-based Nuance Communications revealed it suffered a data break involving the PHI of 45,000 people in December 2017.
Nuance Communications detailed in its May 10, 2018 SEC filing that a third party retrieved some reports hosted on a single Nuance transcription platform, which was quickly shut down when illegal access was found. The filing declares law enforcement was informed about the break and helped with the inquiry and captured the person responsible.
There is no indication of when the breach was found, even though the firm has informed all clients who used the platform to let them issue notices to affected people.
One of those clients, The San Francisco Health Network, issued a substitute breach notification on its website on May 11 providing additional information on the breach.
The breach notification explains that the PHI of 895 patients who received medical services at Zuckerberg San Francisco General Hospital or Laguna Honda Hospital was retrieved between November 20 and December 9, 2017.
The kinds of information retrieved include names, patient numbers, medical record numbers, birth dates, and dictated notes. The notes contained providers’ assessments of patients, dates of service, diagnoses, and treatment and care plans.
The law enforcement investigation found the identity of the person – a former worker of Nuance Communications – and concluded that the person retrieved a transcription platform without approval. The Justice Department informed the San Francisco Health Network that all thieved data have been recovered and no proof has been found to indicate the PHI was revealed to other people or used for any purpose.
The FBI and the U.S. Department of Justice requested notices be postponed while the criminal inquiry into the break was carried out. It is unclear whether criminal indictments have been filed against the person responsible.
The SEC filing also contains particulars of the cost of the NotPetya wiper attack on Nuance Communications in June 2017. Most of the expenses linked with the attack were included in the fiscal year 2017, which included a loss of $68 million in incomes mainly because of service interruption and reserves set up for customer refund credits. The remediation and restoration attempts also cost an additional $24 million.
Their attack also contributed to “a year-over-year drop in the annualized line run-rate in our on-demand healthcare solutions and in the approximated three-year value of on-demand agreements; a year-over-year drop in hosted income and an increase in restructuring and other expenses.” Nuance Communications expects to have to cover additional expenses all through the remainder of the financial year 2018 to increase and upgrade its information safety protections to avoid future cyberattacks.