Breach Notification , Data Loss Prevention (DLP) , Governance & Risk Management

Nuance Communications Breach Affected 45,000 Patients

Former Employee Allegedly Accessed Personal Data From Several Nuance Clients
Nuance Communications Breach Affected 45,000 Patients
Nuance Communications' breach affected patients at Zuckerberg San Francisco General Hospital and Trauma Center. (Photo: UCSF)

Nuance Communications, which specializes in speech recognition software, says an unauthorized third party accessed one of its medical transcription platforms, exposing 45,000 individuals' records.

See Also: Cyber Insurance Assessment Readiness Checklist

So far, it appears only one of its customers, the San Francisco Department of Health, has reached out to affected patients.

The data breach occurred in December 2017, and Nuance - based in Burlington, Massachusetts - says in a Thursday filing with the U.S. Securities and Exchange Commission that it promptly shut down the platform while it investigated.

Nuance says it has notified all affected customers and moved them onto its eScription transcription platform. The software is designed to convert dictation by clinicians into documents.

"We also notified law enforcement authorities and have cooperated in their investigation into the matter," Nuance writes. "The law enforcement investigation resulted in the identification of the third party, and the accessed reports have been recovered."

Follows NotPetya Infection

News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million (see Nuance: NotPetya Attack Was Not a Reportable Health Data Breach).

"For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident," Nuance reported in a Feb. 9 form 10-Q filing to the SEC. "Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses."

Culprit: Former Nuance Employee

Officials at Nuance Communications didn't immediately respond to a request for comment on the new data breach report.

But more details on the incident were revealed on Friday by the San Francisco Department of Public Health.

The department says it is sending letters to 895 patients whose personal information was improperly accessed. Nuance's transcription software was used for the department's hospitals and clinics within San Francisco's Health Network.

"The investigation determined that a former Nuance employee breached Nuance's servers and accessed the personal information of thousands of individuals from several contracted clients."
—San Francisco Department of Public Health

Breach victims include patients who visited Zuckerberg San Francisco General Hospital and Laguna Honda Hospital. The health department says in a news release that it delayed notifying patients at the request of the FBI and Justice Department, which have been investigating the breach.

Their investigation "determined that a former Nuance employee breached Nuance's servers and accessed the personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health," the department says.

The department says it has also notified the California Department of Public Health and the state's attorney general.

The department says the attacker access the exposed information last year between Nov. 20 and Dec. 9. Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service.

"We sincerely apologize for any inconvenience or concern that this situation may cause," Roland Pickens, director of the San Francisco Health Network, says in a statement. "All of our vendors are required to attest to the protection of patient privacy, as part of their contract, and we continue to audit and improve upon that process."

It is not clear if the FBI and Justice Department investigation has resulted in charges being filed against the alleged former employee; officials could not be immediately reached for comment. Both the health department and Nuance says the leaked data was recovered.

So far, it appears that the San Francisco Department of Health is the only Nuance customer to have publicly revealed that its patients were affected by the breach.

Battling Malicious Insiders

The incident is a reminder that Insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging (see Machine Learning, AI Mitigating Insider Threats).

By virtue of being on the inside, malicious employees have plenty of time to figure out ways to extract data without raise alarms. Such knowledge, of course, can be applied even after they depart (see Clean Break: Block Ex-Employees' Access).

"Most companies focus their resources and defensive strategies on protecting the perimeter from outsider attacks, but often the greatest damage can be done by someone already inside these defenses," according to a research paper from the SANS Institute. "System administrators can be a company's most trusted ally or their worst nightmare depending on their motivation or personal interest."

Logging and monitoring employees' actions is one way to keep an eye on who is accessing what. But SANS says that's only effective if those logs are being reviewed and used to generate alerts.

SANS also recommends that organizations ensure that IT administrators regularly review access permissions and controls, especially as their organization grows.

Recommendation: Lock Down Access

Most organizations, however, tend to focus on ensuring that access is allowed, rather than always ensuring that employees only have the minimum amount of access they might require.

"If an employee started out as a database developer and was promoted after three years to manager and then three years later to director of operations, it is likely that their access requirements would be significantly different today versus when they started," according to SANS.

Some organizations are also lax when it come to revoking employees' credentials when they depart. "Many companies leave ex-employee's accounts active in case they need to access something within the account, rather than take the time to manage the leaving of the employee in a more secure manner," Brian Honan, head of Dublin-based cybersecurity firm BH Consulting, told ISMG last year.

It's not yet clear if such a failure led to Nuance's breach.

Executive Editor Mathew Schwartz also contributed to this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.