Nuance Communications Notifies 1.2M Individuals of Data Breach

September 25, 2023 - Another incident stemming from a vulnerability in Progress Software’s MOVEit Transfer software has been reported, this time from Nuance Communications. Nuance, which provides software solutions to healthcare providers, notified more than 1.2 million individuals of the breach.

As previously reported, organizations around the world have suffered from exploits of a vulnerability in Progress Software’s MOVEit Transfer software, allowing threat actors to gain access to databases containing sensitive information. The vulnerability has since been resolved, but breach notifications have continued to roll in.

Nuance explained that as soon as it learned of the incident on May 31, 2023, it launched an investigation and reached out to law enforcement authorities. The investigation determined that some individuals’ personal information was subject to unauthorized access. The access was limited to the MOVEit Transfer application and did not impact Nuance systems.

Specifically, the breach involved names, demographic information, names of relatives, dates of service, medical facility information, practitioner's name, health insurance numbers, medication information, diagnoses, and patient identifiers.

“Data privacy and security are among Nuance’s highest priorities. The company has extensive measures in place to protect information entrusted to us,” the notice explained.

“To help prevent similar incidents from happening in the future, we have implemented and are continuing to implement new information security tools, processes and procedures to further strengthen the security of our IT system environments.”

Mount Desert Island Hospital Suffers Breach

Mount Desert Island Hospital (MDIH) in Bar Harbor, Maine notified 32,661 individuals of a recent data breach. After discovering suspicious activity on its network in early May 2023, MDIH launched an investigation and determined that an unauthorized party had gained access to certain files between April 28 and May 7.

The information involved in the breach included names, dates of birth, Social Security numbers, driver’s license numbers, and financial account information pertaining to MDIH employees, dependents, and beneficiaries.

In addition, the names, addresses, Social Security numbers, medical record numbers, treatment information, prescription information, billing and claims information, and Medicare or Medicaid numbers belonging to MDIH patients may have been impacted by the breach.

“In response to this incident, MDIH conducted a full forensic investigation with the assistance of third-party specialists, changed password strength, implemented new technical safeguards, implemented periodic technical and nontechnical evaluations, bolstered firewall and user access policies, disabled vendor accounts associated with the suspected attack vector, and revised its policies and procedures,” the notice stated.

Health Data Impacted in Lakeland Community College Breach

Ohio-based Lakeland Community College notified individuals of a data breach that involved health data. The college discovered unauthorized access to its network between March 7 and March 31, 2023, and immediately launched an investigation.

Further review indicated that some personal information was removed from Lakeland’s network, including full names, Social Security numbers, financial account information, passport numbers, medical information, health insurance policy information, dates of birth, and credit or debit card information.

Lakeland Community College said it was not aware of any reports of identity theft or fraud stemming from this incident but encouraged impacted individuals to remain vigilant.

“Please accept our apologies that this incident occurred,” the notice stated. “We are committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of personal information.”