Data Privacy
,
Data Security
,
Healthcare
Settlement Is Latest Among Scores of Other MOVEit Lawsuits Still Pending
Nuance Communications, a Microsoft subsidiary, has agreed to pay $8.5 million to settle proposed class action litigation filed against the company after hackers in 2023 exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer software and stole data belonging to more than a dozen of Nuance’s healthcare clients and nearly 1.23 million of their patients.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The preliminary agreement reached last week by Nuance is the latest of a handful of settlements reached so far in proposed federal class action litigation filed against scores of other organizations whose healthcare related and other data was stolen in hacks related to the MOVEit vulnerability.
Russian-speaking Clop cybercriminal group unleashed a highly automated mass attack of the MOVEit flaw around May 29, 2023, likely timed to take advantage of the U.S. Memorial Day holiday weekend. The gang exploited a now-patched zero-day vulnerability, designated as CVE-2023-34362.
On May 31, 2023, MOVEit’s developer, Burlington, Massachusetts-based Progress Software, issued its first security alert about the flaw, urging all customers to immediately take their software offline until they could upgrade it to a patched version.
Some analysis suggested, at the time, that Clop may have started experimenting with how to exploit the zero-day as early as 2021 (see: Data Theft Via MOVEit, 4 Million More Individuals Affected).
The Clop campaign hit 2,700 organizations in healthcare, education, insurance, government and other sectors worldwide, affecting nearly 96 million people whose personal information were compromised in the incidents, according to estimates from security firm Emsisoft.
After exploiting the vulnerability in the MOVEit transfer software, cybercriminals accessed and exfiltrated personal information stored in the databases of Progress’s MOVEit Transfer customers, including that of Nuance, court documents said.
Nuance notified affected patients on behalf of data providers that their personal information, including names, addresses, email addresses, birth dates, information related to health records and health insurance provided to Nuance may have been impacted in the MOVEit incident, the court documents state (see: Nuance Notifying 14 NC Healthcare Clients of MOVEit Hacks).
Before the settlement with Nuance was reached, the legal action against the company was a consolidated case of six lawsuits that were also part of much larger consolidated, multi-district proposed class action litigation being handled in a Massachusetts federal court involving the MOVEit hacks. That larger consolidated multi-district litigation includes more than 160 lawsuits that have been filed in the U.S. involving MOVEit.
In February, medical billing services firm Arietis Health agreed to a $2.8 million settlement also over a hack involving exploitation of the MOVEit vulnerability that compromised the protected health information of nearly 2 million patients of NorthStar Anesthesia, an Arietis client (see: Firm Notifies Patients of 55 Health Practices of MOVEit Hack).
In May, National Student Clearinghouse paid out a $9.5 million settlement to resolve proposed class action litigation involving the MOVEit hacks filed in 2023 against the nonprofit provider of education and workplace data services.
Nuance Settlement
Court documents in the preliminary settlement for Nuance show that the settlement class is estimated to consist of nearly 1.23 million people.
Nuance has agreed to pay $8.5 million into a settlement fund. Under the agreement, eligible class members can request to receive two years of complimentary medical data, credit and identity theft monitoring. They can also submit claims for “ordinary losses” involving documented unreimbursed out-of-pocket expenses of up to $2,500 and “extraordinary” monetary losses of up to $10,000. As an alternative to those payments, class members can choose to receive a cash payment of about $100.
The settlement fund also covers $2,500 service awards to each of several class representatives; attorney fees and related expenses that are still being worked out; and other costs related to the administration of the settlement.
Under the settlement, Nuance also denies any wrongdoing, including allegations of breach of contract, privacy violations and that the company “fell short of duties it owed to the settlement class, settlement class representatives, or any other person or entity,” according to court documents.
A final approval court hearing for the Nuance settlement is scheduled March 18, 2026.
Microsoft declined Information Security Media Group’s request for comment on the Nuance settlement.