Nuance Communications Inc., a Microsoft subsidiary specializing in clinical support for healthcare organizations, experienced a data breach in May 2023 due to a vulnerability in the MOVEit file transfer software. Cybercriminals exploited this flaw, gaining unauthorized access to sensitive personal and protected health information (PHI) of an estimated 1,225,054 individuals between May 27 and May 31, 2023. The breach exposed data such as medical records, financial details, and personally identifiable information (PII), leading to risks of identity theft, fraud, and financial harm.The company agreed to an $8.5 million class-action settlement, offering affected individuals credit monitoring, identity theft protection, and reimbursements (up to $10,000 for documented losses). The incident highlighted Nuance’s alleged negligence in securing third-party software, resulting in prolonged legal and financial repercussions. The breach’s impact extended beyond financial losses, eroding trust in Nuance’s data protection capabilities, particularly in the healthcare sector, where PHI confidentiality is critical.
Source: https://www.claimdepot.com/settlements/moveit-nuance-resource
TPRM report: https://www.rankiteo.com/company/nuance-communications
"id": "nua0103101101425",
"linkid": "nuance-communications",
"type": "Breach",
"date": "5/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,225,054 individuals',
'industry': ['Healthcare',
'Clinical Support',
'AI/Voice Recognition Technology'],
'location': 'Burlington, Massachusetts, USA',
'name': 'Nuance Communications Inc.',
'type': 'Subsidiary (Microsoft)'}],
'attack_vector': 'Exploitation of vulnerability in MOVEit file transfer '
'software',
'customer_advisories': 'Credit monitoring, identity theft protection, and '
'cash reimbursements offered to victims',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '1,225,054',
'personally_identifiable_information': 'Yes (names, '
'addresses, medical '
'data, etc.)',
'sensitivity_of_data': 'High (includes PHI and personally '
'identifiable information)',
'type_of_data_compromised': ['Personal Information',
'Protected Health Information '
'(PHI)',
'Medical Data']},
'date_detected': '2023-05-27',
'date_publicly_disclosed': '2025-09-15',
'description': 'Nuance Communications Inc., a Microsoft company providing '
'clinical support to medical practices and healthcare '
'organizations, experienced a data breach due to a '
'vulnerability in the MOVEit file transfer software. '
'Cybercriminals exploited this vulnerability between May 27 '
'and May 31, 2023, gaining unauthorized access to sensitive '
'personal and protected health information (PHI). The breach '
'affected an estimated 1,225,054 individuals, leading to a '
'class action lawsuit settled for $8.5 million. Affected '
'individuals may qualify for credit monitoring, identity theft '
'protection, or cash reimbursements up to $10,000 for '
'documented losses.',
'impact': {'brand_reputation_impact': 'Negative (settlement and public '
'disclosure of breach)',
'customer_complaints': 'Class action lawsuit filed by affected '
'individuals',
'data_compromised': ['Personal Information',
'Protected Health Information (PHI)'],
'financial_loss': '$8.5 million (settlement fund)',
'identity_theft_risk': 'High (credit monitoring and identity theft '
'protection offered to victims)',
'legal_liabilities': '$8.5 million settlement, potential '
'regulatory fines (undisclosed)',
'systems_affected': ['MOVEit file transfer software']},
'investigation_status': 'Settled (final approval hearing: March 31, 2026)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Settlement payments',
'Credit monitoring services '
'for victims'],
'root_causes': ['Exploitation of unpatched MOVEit '
'vulnerability',
'Inadequate third-party risk '
'management']},
'references': [{'source': 'Class Action Settlement Notice (MOVEit Nuance '
'Resource Settlement)'},
{'source': 'Settlement Administrator (P.O. Box 173041, '
'Milwaukee, WI 53217)'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit settled for '
'$8.5M'],
'regulations_violated': ['Potential HIPAA '
'violations (undisclosed)',
'State data breach '
'notification laws']},
'response': {'communication_strategy': ['Public notice (September 15, 2025)',
'Settlement claims process (deadline: '
'December 24, 2025)'],
'incident_response_plan_activated': 'Yes (settlement and '
'remediation measures '
'implemented)',
'remediation_measures': ['Settlement fund ($8.5M)',
'Credit monitoring/identity theft '
'protection for victims']},
'stakeholder_advisories': 'Settlement notices sent to affected individuals '
'(September 15, 2025)',
'title': 'Nuance Communications MOVEit Data Breach (2023)',
'type': ['Data Breach',
'Unauthorized Access',
'Third-Party Vulnerability Exploitation'],
'vulnerability_exploited': 'MOVEit Transfer Critical Vulnerability '
'(CVE-2023-34362)'}