Nuance Details Damages from NotPetya Attack: Money Lost, but PHI Safe

In addition to the two hospitals directly affected by last month’s devastating and much-publicized “NotPetya” cyberattack, many others felt its impacts secondhand. This was due to the malware interfering with Nuance Communications, the company whose Dragon Medical cloud software is widely used in hospitals for natural language processing and storage of electronic health records.

In the last week, Nuance has provided further information about the extent and nature of the damages suffered. The company has developed a swath of widely used tech solutions for healthcare entities.

In a report issued to its customers yesterday, the company stated that “Despite media reports to the contrary, the NotPetya malware actually was not ransomware. It was not designed to give its perpetrator(s) any capability to control data on affected systems.” That conclusion is in harmony with the peculiarity of the attack (it only collected $10,000 in “ransom” worldwide, and did not actually enable any means of restoring data).

“There is no evidence that any PHI was acquired, accessed, used, or disclosed in an unauthorized manner that compromised the privacy or security of the PHI and, therefore, the Incident does not fall within the definition of a presumptive breach of unsecured PHI for purposes of the HIPAA Breach Notification Rule,” was another of the report’s conclusions. Nuance emphasized that the malware was not designed to allow unauthorized parties any way to view, copy, or extract compromised data.

The company claims that, at the time of the attack, it shut down its networks, transcription platforms, and other systems to stem the malware’s spread, and since has been “conducting an extensive, around the clock, systems evaluation and restoration effort.” Recent analysis has led to some industry experts referring to it as a “ransomworm” rather than straight ransomware, due to functionality that allowed it to wriggle from system to system with no human interaction.

"Health care organizations locally weren't victims of the malware attack. Nuance Communications was the victim of the malware attack. The information that the health care organizations have locally weren't at risk," said Dr. Ashok Rai, CEO of Prevea Health in Wisconsin, not long after the initial attack. Hospital systems in San Antonio, Texas, also reported feeling the effects secondhand.

Late last week, Nuance reported that the software impacted had mostly been restored. Its eScription RH and Clinic 360 solutions were restored to their full capability within a week of the outbreak, and that the Critical Test Results application, a radiology workflow solution, was reactivated on July 16^th.

That report also noted that the incident had made a dent in their bottom line. The company reported third quarter revenues would come in $10-15 million dollars south of the numbers originally projected, with further losses expected in the fourth quarter.