Back to articles

Notice of Progress Software Security Incident

News

Progress Software recently experienced a data security incident originating from a zero-day vulnerability in its MOVEit secure file transfer software. Nuance Communications (“Nuance”), which provides software solutions to certain healthcare providers, uses MOVEit to exchange files with some customers and business partners and was, unfortunately, one of the thousands of organizations impacted by Progress Software’s vulnerability. The incident did not affect any systems or applications beyond the MOVEit application and none of Nuance's solutions were impacted, but certain individuals’ personal information within the Progress Software MOVEit environment was affected. This notice explains the incident, the measures we have taken in response and the steps individuals can take to protect their personal information.

When Progress Software disclosed the incident on May 31, 2023, Nuance immediately took steps to secure systems and launched an investigation, which was conducted by experienced cybersecurity experts, including an outside law firm. Nuance also notified law enforcement authorities and is cooperating with their investigation. The investigation determined that the event occurred between May 28 and 29, 2023, and was limited to the MOVEit Transfer application. As part of the investigation, the impacted data was analyzed to determine whether any individual’s personal information was subject to unauthorized access or acquisition. Beginning on or around July 10, 2023, we confirmed that, unfortunately, certain individuals’ personal information was affected by the incident. Impacted customers were notified.

The information involved in the incident included some of the following data elements for affected individuals: name; demographic information (including address, phone number, email address, gender, date of birth); relative’s name; power of attorney’s name; health insurance number; date of service; medical facility; practitioner’s name; diagnostic study identifiers such as accession number and study UID; clinical information such as treatments provided, medication information, diagnoses, diagnostic imaging reports (no diagnostic images were impacted); and patient identifiers such as medical record number. Importantly, not every impacted individual had all of these data elements impacted, or the same combination of data elements impacted.

Data privacy and security are among Nuance’s highest priorities. The company has extensive measures in place to protect information entrusted to us. To help prevent similar incidents from happening in the future, we have implemented and are continuing to implement new information security tools, processes and procedures to further strengthen the security of our IT system environments.

Individuals should remain vigilant against incidents of identity theft and fraud, review account statements, and monitor their free credit reports for suspicious activity and to detect errors. Individuals can obtain a free copy of their credit report online at www.annualcreditreport.com, by calling toll-free (877) 322-8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.

If you have any questions, Nuance has set up a dedicated, toll-free call center to answer questions about this incident. Impacted individuals can call toll-free (888) 988-0380, Monday - Friday between 8 a.m. to 8 p.m. Central Time, excluding major U.S. holidays. Information is also available at the Nuance website at Nuance.com/MoveIt.