Data Privacy,
Data Security,
Healthcare
Nuance Reaches Settlement Amid Ongoing MOVEit Litigation
Nuance Communications, a subsidiary of Microsoft, has consented to pay $8.5 million to resolve a class action lawsuit stemming from a 2023 cyberattack that exploited a vulnerability in Progress Software’s MOVEit file transfer solution. This breach resulted in unauthorized access to data from various healthcare clients of Nuance, affecting approximately 1.23 million patients.
See Also: Built for Healthcare Compliance: Identity Strategies That Reduce Cyber Risk
The preliminary settlement agreement, finalized last week, is one of several reached amid federal class action lawsuits filed against multiple organizations whose data was compromised due to the MOVEit vulnerability. This incident is tied to a broader cyber campaign attributed to the Clop ransomware group, which executed a series of automated attacks leveraging a now-patched zero-day vulnerability labeled CVE-2023-34362.
Investigations revealed that the Clop group orchestrated a significant operation targeting the MOVEit flaw, coinciding with the U.S. Memorial Day weekend on May 29, 2023. The attack potentially targeted over 2,700 organizations across various sectors, including healthcare and education, resulting in compromised personal information for nearly 96 million individuals, according to security analysis by Emsisoft.
Following the attack, Progress Software promptly issued a security alert on May 31, 2023, advising customers to securely take their systems offline until updates could be enacted. Examination of the attack suggests that Clop may have begun testing the exploit as early as 2021, underscoring the protracted nature of cyber security threats.
Nuance executed a notification process for affected patients, informing them that sensitive information, including names, addresses, and health-related data, could have been accessed during the breach. The legal actions surrounding Nuance had previously consolidated six lawsuits and are part of a larger multi-district litigation comprising more than 160 cases related to MOVEit hacks across the United States.
Earlier settlements in this matter included $2.8 million from Arietis Health, following similar exploitation of the MOVEit vulnerability affecting NorthStar Anesthesia patients, and a $9.5 million agreement from the National Student Clearinghouse related to the same hacking incidents.
Details of the Nuance Settlement
The settlement for Nuance aims to compensate nearly 1.23 million affected individuals. Participating class members may access two years of complimentary medical data monitoring, alongside options to claim documented expenses related to identity theft or choose a cash payout of approximately $100. The settlement framework also outlines provisions for service awards and covered legal expenses.
Despite the financial settlement, Nuance has denied any allegations of misconduct related to the breach, asserting that it met its obligations to clients and class members. A hearing for final approval of this settlement is scheduled for March 18, 2026.
Microsoft has declined to comment regarding the Nuance settlement.
