Progress Software recently experienced a data security incident originating from a zero-day vulnerability in its MOVEit secure file transfer software, which impacted Nuance Communications (“Nuance”) and many other organizations. Nuance provides clinical documentation solutions to Catholic Health Initiatives Colorado (formerly managed as Centura Health Corp.) and other healthcare providers and used MOVEit to securely transfer files on behalf of those healthcare providers. No Catholic Health Initiatives Colorado systems were impacted, but certain patient information within the MOVEit environment was affected. This notice explains the incident, the measures taken in response and the steps individuals can take to protect their personal information.
When Progress Software disclosed the incident to Nuance on May 31, 2023, Nuance immediately took steps to secure systems and launched an investigation, which was conducted by experienced cybersecurity experts. Patches were installed as soon as they were available. The investigation determined that the event occurred between May 28 and 29, 2023, and was limited to the MOVEit Transfer application. As soon as Catholic Health Initiatives Colorado became aware of the incident, a comprehensive review was performed and on August 14, 2023, Catholic Health Initiatives Colorado confirmed that some patients had information that was included in the third-party incident. That information included patient name, date of service, facility name, type of service, and for some patients, medical record number. Social security numbers, financial information, and health insurance ID/number were not included. Nuance has reported the incident to law enforcement and will fully cooperate with any investigation.
Data privacy and security are among Nuance’s highest priorities. The company has extensive measures in place to protect information entrusted to them. To help prevent similar incidents from happening in the future, they have implemented and are continuing to implement new information security tools, processes, and procedures to further strengthen the security of their IT system environments.
There is no evidence that patient information has been misused in any way. However, as a precaution, patients who were impacted received letters in the mail. Individuals should remain vigilant against incidents of identity theft and fraud, review account statements, and monitor their free credit reports for suspicious activity and to detect errors. Individuals can obtain a free copy of their credit report online at www.annualcreditreport.com, by calling toll-free (877) 322-8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.
Nuance has set up a dedicated, toll-free patient call center to answer questions about this incident. Beginning September 15, 2023, impacted individuals can call 888-988-0380 Monday through Friday between 8:00 a.m. and 5:30 p.m. Central Time, excluding major U.S. holidays. Information will also be available at https://www.nuance.com/moveit-support.html.
CommonSpirit Health is a nonprofit, Catholic health system dedicated to advancing health for all people. It was created in February 2019 by Catholic Health Initiatives and Dignity Health. The Colorado/Kansas/Utah Division includes 20 hospitals, 240 physician practices and clinics, emergency and urgent care centers, home care and hospice services, and Flight For Life® Colorado. With its national office in Chicago and a team of over 175,000 employees and 25,000 physicians and advanced practice clinicians, CommonSpirit operates 142 hospitals and more than 2,200 care sites across 24 states. In FY 2022, CommonSpirit had revenues of $33.9 billion and provided $4.9 billion in charity care, community benefit, and unreimbursed government programs. Learn more at www.commonspirit.org.