Microsoft-owned company settles MOVEit lawsuit for $8.5M

A U.S. District Court judge in Massachusetts preliminarily approved an $8.5 million settlement stemming from a 2023 data breach at Microsoft-owned Nuance Communications that impacted more than 1 million patients. Microsoft acquired Nuance Communications, a healthcare business associate that provides AI-powered solutions, in 2022.

As previously reported, cyberthreat actors discovered and exploited a critical zero-day vulnerability in Progress Software's MOVEit Transfer software, a widely used managed file transfer solution that helps users securely send and receive files. Nuance Communications was one of hundreds of organizations impacted by the widespread vulnerability exploitation in 2023. The incident impacted several healthcare organizations and business associates and sparked discussions about the importance of third-party risk management.

Nuance disclosed the 1.2 million-record data breach on behalf of 13 of its healthcare clients, including UNC Health, WakeMed Health & Hospitals, and Novant Health. The breach involved names, demographic information, names of relatives, dates of service, medical facility information, practitioner's name, health insurance numbers, medication information, diagnoses and patient identifiers.

Several lawsuits against Nuance Communications were consolidated into a single filing. The plaintiffs alleged that Nuance failed to implement the proper safeguards to safeguard data held within its MOVEit software. Progress Software itself is also facing numerous lawsuits related to the MOVEit breach.

If the Nuance lawsuit receives final approval, the $8.5 million will go toward attorneys' fees, administrative costs and individual awards for the class representatives and class members.

"The Court finds that the proposed settlement creates an equitable claims process that will allow settlement class members an opportunity to obtain reimbursement for certain types of harm they may have suffered as a result of events alleged in the litigation," the judge stated in the preliminary approval order.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.