Categories
Education

Nuance: Second medical records breach

Nuance UPDATE: 2017 Ransomware attacks on Healthcare The impact of last year’s global cyber attacks linger into May 2018. NotPetya wiped Nuance’s hosted services. In late December, they announced a security event. Now we understand it was their second breach.

Nuance Communications deploys very popular medical transcription services. Their US market share at hospitals, clinics and health systems is roughly 70%.

Nuance

However last June the NotPetya global cyber attack erased Nuance’s eScription medical transcription service.

Nuance lost ALL customer data due to NotPetya’s data destruction. Nuance could not restore backups of client data.

As a result hospitals and clinics lost more than 45 days of medical transcriptions which ultimately, led to delays in medical billing. Yet in almost thirty days Nuance was able to rebuild eScription, sans client transcriptions.

Then in December 2017 without any notice to healthcare organizations, Nuance shut down their Apex medical transcription service due to a “security” event.

Every remaining US healthcare customer transcribing on the Apex platform was shutdown and forced to eScription. Many hospitals, clinics and health systems, stunned to feel another Nuance whiplash, acted quickly (drop all other projects) and drag their health information management teams to a completely new medical transcription platform — regardless if plans to migrate away from Apex were already underway.  For a few hospitals, one can imagine, the sudden jump was not too painful.  Others however…..found themselves again with longer billing cycles that NotPetya caused.

And now, six months later (May 2018) Nuance finally announced in their SEC Filing December’s security event was indeed their second breach in 2017. A former employee was able to get access to 45,000 medical records on Apex.

With the NotPetya attack, promises to address the lack of account management that was key to the NotPetya worm moving horizontally across infected organizations. This second data breach is a clear sign Nuance did not implementing any privileged account management solution following their NotPetya/eScription meltdown.

The lessons of WannaCry and NotPetya continues into 2018.