Nuance, a Microsoft subsidiary specializing in medical transcription and speech recognition, was ensnared in the 2023 Clop ransomware gang’s mass exploitation of the MOVEit Transfer vulnerability, a supply-chain attack affecting over 2,600 organizations and 77M+ individuals globally. The breach exposed 1.225 million people’s personal data from Nuance’s MOVEit environment, supplied by downstream healthcare providers. Plaintiffs in a class-action lawsuit alleged Nuance’s negligence in failing to implement 'reasonable security measures,' though the company denied liability, citing reliance on Progress Software’s widely used (but flawed) product and lack of direct contracts with affected individuals.Nuance settled for $8.5 million—covering compensation and credit-monitoring—despite insisting it acted swiftly (patching systems, taking MOVEit offline, and investigating). The healthcare sector’s heightened regulatory scrutiny and media attention amplified the fallout. While Nuance framed itself as a victim of the Clop campaign, the breach underscored systemic risks in third-party supply-chain dependencies. The settlement, though modest compared to other MOVEit-related payouts, reflects the growing legal and reputational costs of ransomware-driven data exfiltration in critical industries.
Source: https://www.theregister.com/2025/08/18/nuance_lawsuit/
TPRM report: https://www.rankiteo.com/company/nuance-communications
"id": "nua844081825",
"linkid": "nuance-communications",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1.225 million individuals',
'industry': ['Healthcare Technology',
'Speech Recognition',
'Medical Transcription'],
'location': 'Burlington, Massachusetts, USA',
'name': 'Nuance Communications (Microsoft subsidiary)',
'type': 'Corporation'}],
'attack_vector': ['Exploitation of Zero-Day Vulnerability (CVE-2023-34362)',
'Unpatched MOVEit Transfer Software'],
'customer_advisories': ['Credit-monitoring services offered to affected '
'individuals'],
'data_breach': {'data_exfiltration': 'Yes (by Clop ransomware gang)',
'number_of_records_exposed': '1,225,000',
'personally_identifiable_information': ['Patient records',
'Medical '
'transcription data'],
'sensitivity_of_data': 'High (healthcare-related)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'description': 'Microsoft-owned Nuance agreed to pay $8.5 million to settle a '
'class action lawsuit over the MOVEit Transfer mega-breach, '
'which exposed the data of ~1.225 million individuals. The '
"breach was part of the Clop ransomware gang's 2023 mass "
"exploitation of a vulnerability in Progress Software's MOVEit "
'Transfer. Nuance denied liability but settled to avoid '
'litigation risks. The incident highlights supply-chain attack '
'risks and regulatory scrutiny in healthcare data breaches.',
'impact': {'brand_reputation_impact': ['Negative media coverage',
'Regulatory scrutiny due to healthcare '
'data exposure'],
'customer_complaints': ['Class action lawsuit filed by affected '
'individuals'],
'data_compromised': "1.225 million individuals' data",
'financial_loss': '$8.5 million (settlement amount)',
'identity_theft_risk': ['High (due to exposed PII/PHI)'],
'legal_liabilities': ['Class action lawsuit settlement',
'Potential regulatory fines (unconfirmed)'],
'operational_impact': ['Temporary shutdown of MOVEit instance for '
'patching',
'Investigation and remediation efforts'],
'systems_affected': ["Nuance's MOVEit Transfer environment"]},
'initial_access_broker': {'data_sold_on_dark_web': "Likely (Clop gang's "
'standard practice)',
'entry_point': 'Exploited MOVEit Transfer '
'vulnerability (CVE-2023-34362)',
'high_value_targets': ['Healthcare data',
'Patient records']},
'investigation_status': 'Closed (settlement reached)',
'lessons_learned': ['Supply-chain vulnerabilities can have cascading effects '
'across industries.',
'Third-party software reliance requires rigorous patch '
'management and vendor risk assessment.',
'Healthcare data breaches attract heightened regulatory '
'and media scrutiny.',
'Proactive incident response (e.g., quick patching) can '
'mitigate but not eliminate liability risks.'],
'motivation': ['Financial Gain', 'Data Theft for Extortion'],
'post_incident_analysis': {'corrective_actions': ['Settlement payout and '
'credit-monitoring for '
'victims',
'Internal security review '
'(assumed, not detailed)',
'Public denial of liability '
'(legal strategy)'],
'root_causes': ['Over-reliance on third-party '
'software security (MOVEit '
'Transfer)',
'Delayed patching (though Nuance '
'claims swift action '
'post-disclosure)',
'Lack of contractual clarity with '
'downstream data providers '
'(healthcare partners)']},
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Clop'},
'recommendations': ['Implement zero-trust architecture for third-party file '
'transfer systems.',
'Conduct regular third-party vendor security audits, '
'especially for critical software like MOVEit.',
'Enhance contractual protections with vendors to clarify '
'liability in breach scenarios.',
'Proactively communicate with affected parties and '
'regulators to manage reputational risk.',
'Invest in cyber insurance tailored to supply-chain '
'attack risks.'],
'references': [{'source': 'The Register',
'url': 'https://www.theregister.com/2024/XX/XX/nuance_moveit_settlement/'},
{'source': 'Massachusetts Federal Court Filing (PDF)'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit (settled '
'for $8.5M)'],
'regulations_violated': ['Potential HIPAA '
'violations (unconfirmed)',
'State data breach '
'notification laws']},
'response': {'communication_strategy': ['Public denial of liability',
'Settlement announcement via court '
'filings'],
'containment_measures': ['Took MOVEit instance offline '
'immediately',
'Applied patches from Progress '
'Software'],
'incident_response_plan_activated': 'Yes',
'remediation_measures': ['Internal investigation',
'Credit-monitoring services for '
'affected individuals']},
'threat_actor': 'Clop Ransomware Gang',
'title': 'Nuance MOVEit Transfer Data Breach Settlement',
'type': ['Data Breach', 'Supply-Chain Attack', 'Class Action Lawsuit'],
'vulnerability_exploited': 'Progress Software MOVEit Transfer SQL Injection '
'Vulnerability (CVE-2023-34362)'}