[BreachExchange] Nuance says NotPetya attack led to $98 million in lost revenue

Destry Winant destry at riskbasedsecurity.com
Wed Feb 28 21:12:22 EST 2018


Nuance Communications, a software company that offers speech and
imaging technology to a number of markets, including healthcare and
finance, said the 2017 NotPetya malware attacks caused the company to
lose $98 million in revenue, and that number is expected to grow as
they push forward into 2018.

The NotPetya disclosure was referenced in the company's latest 10-Q
filing with the Securities and Exchange Commission (SEC).

According to the filing, the June 27, 2017 attack affected systems
used by their healthcare customers, primarily for transcription
services, and systems used by their imaging division to receive and
process orders.

"For fiscal year 2017, we estimate that we lost approximately $68.0
million in revenues, primarily in our Healthcare segment, due to the
service disruption and the reserves we established for customer refund
credits related to the Malware Incident. Additionally, we incurred
incremental costs of approximately $24.0 million for fiscal year 2017
as a result of our remediation and restoration efforts, as well as
incremental amortization expenses," the report states.

In addition, the NotPetya incident had an impact on the company during
the first-quarter of FY2018 including hits to expected future earnings
in on-demand healthcare solutions and on-demand contracts.

"In addition, we expect to expend additional resources during fiscal
year 2018 and beyond to continue to enhance and upgrade information
security," the report adds.

Nuance says the attack on their systems started at 07:00 a.m. EST on
June 27, 2017, which caused outages that lasted early August.

In a blog post on July 28, 2017, Satish Maripuri, executive vice
president and general manager of Nuance Healthcare, said the company
was "restoring client functionality quickly and safely," adding that
the momentum was strong and the company was "moving rapidly to
complete a recovery process for all affected clients."

A company update page shows a final recovery update on August 4, 2017.

Nuance was one of the U.S. companies hardest hit by the malware, which
the US government called "a reckless and indiscriminate cyber-attack"
by the Russian military. The UK government issued a similar statement
condemning the Russian military for alleged acts. Russian officials
denied any connection to the incident, calling the accusations
unsubstantiated and groundless.

An investigation by the company determined that NotPetya attack
constituted a security incident under the HIPAA Security Rule, but not
a breach of PHI under the BNR, a stance that was repeated in a
notification letter to customers.

Nuance's 10-Q report also referenced a data breach of their hosted
Nuance transcription platform, which impacted 45,000 individuals.
Customers on that platform were notified and moved to the eScription
transcription platforms shortly after the incident occurred.

More information about the BreachExchange mailing list