Nuance the Latest NotPetya Victim to Report Financial Impact



It's been weeks since the NotPetya ransomware attacks hit organizations worldwide. But some companies are still struggling to recover, including some that admit their financial results will be hurt by the disruption to their businesses and ability to service customers. Medical transcription software vendor Nuance is the latest.


On July 21, the Waltham, Massachusetts-based company issued a financial statement warning Wall Street analysts that its fiscal 2017 Q3 and likely Q4 revenue and earnings results would be negatively impacted by the June 27 ransomware attack. Nearly a month after the attack, the company is still trying to restore all its services to customers. Most impacted has been its medical transcription services business.


Among Nuance customers affected by the service disruption is Beth Israel Deaconess Health System in Boston.


"The lesson learned is that Nuance needs to have a more distributed computing environment - and their senior staff have told me they are planning to embrace the public cloud," says John Halamka, CIO at Beth Israel Deaconess.


Other Victims


The announcement by Nuance follows a similar one from package delivery giant FedEx. The Memphis, Tennessee-based company said on July 17 in a form 10-K annual report filing with the U.S. Securities and Exchange Commission that "2018 results will be negatively affected by our TNT Express integration and restructuring activities, as well as the impact of the TNT Express cyberattack."


Other companies are also reportedly still struggling to fully recover from the NotPetya attacks include thet Danish conglomerate Maersk and pharmaceutical giant Merck.


But the disruption won't impact Merck's bottom line, the company says in a statement provided to Information Security Media Group. "We don't expect to see any appreciable impact on second quarter results. We have made good progress in our response to the June 27 global cyber attack. We have implemented business continuity plans and continue to ship orders and meet patients' needs. We and our external partners see no indication that the company's data have been compromised."


The outbreak of NotPetya - aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya, Diskcoder.C - followed just six week after the outbreak of WannaCry malware. Both targeted flaws in Microsoft Windows that the software giant has since patched (see Ransomware Smackdown: NotPetya Not as Bad as WannaCry).


"Not Petya signaled a new paradigm shift as attackers are willing to launch attacks specifically to disrupt and destroy IT assets and data," says Mac McMillan, president of the security consultancy Cynergistek.


Nuance's admission that the ransomware attack is affecting its financial performance may be a first for a company serving the healthcare sector. "We have had [healthcare] companies and providers make such reports from other breaches, but I believe this is the first we've seen as a result of ransomware," McMillan notes.


Impact on Nuance


In the July 21 statement, Nuance says it expects the malware incident to have an impact on its financial results for third fiscal quarter of 2017 "primarily owing to the loss of healthcare transcription revenues in the final week of the third quarter and the inability to fulfill partner orders for imaging products during the same period."


Nuance says it expected its revenue for the third quarter will be in the $494 million to $498 million range, down from the original expectation of $509 million to $513 million.


Third quarter earnings will also be lower, with the expectation now 26 cents to 28 cents per share, down from the original forecast of 29 cents to 31 cents per share, the company says.


Nuance adds in the statement that while it has made "significant progress in remediating systems related to the malware incident, the company nonetheless expects a material effect on financial results for its fourth fiscal quarter of 2017."


The impact will be primarily related to Nuance's health information management transcription business as the company continues to reactivate customers during the quarter, the statement says. "Nuance expects to have service restored to substantially all of its clients on its flagship HIM transcription platform, eScription LH, within two weeks, while taking all measures to bring back its clients efficiently and securely."


The company's eScription RH and Clinic 360 solutions that reside on the cloud-based HIM transcription platform, Emdat, were restored to their full capability for that entire customer base on July 3, Nuance says.


Meanwhile, the Critical Test Results application, which is part of Nuance's Diagnostics radiology workflow solutions, was reactivated for all clients on July 16.


"As a part of the restoration efforts, Nuance has hardened its systems with enhanced security and with the latest anti-malware agents," the company says.


Nuance is providing cloud-based options for its clients who were on older transcription platforms. "The PowerScribe and Dragon Medical cloud solutions were not impacted and remain unaffected by the incident with Dragon Medical cloud adoption increasing as an alternative for physicians to capture patient documentation."


New Issues


The recent global ransomware attacks on companies across all sectors are bringing along new problems for organizations impacted, says privacy attorney Kirk Nahra of the law firm Wiley Rein.


"Ransomware in general is creating some new categories of issues for the healthcare industry and others," he says. "We have been focused on patient data breaches for a long time, and while those remain challenging, we have gotten a little better at dealing with those issues - including [breach] notice, mitigation, etc.," he says.


"Ransomware is different, because it is an issue of whether companies can actually do their business. It focuses attention on things like encryption, back-ups, unique data sets, etc., that we haven't seen most of the time in 'traditional' data breaches. So, we can expect to see more of these problems, especially with "first tier" companies, meaning companies that have unique data - such as a hospital or an electronic records company - where there may be no other viable source of the data."The recent ransomware attacks should push companies to be more aware of how to prevent these kinds of attacks, Nahra says, pointing to the importance of "having accessible and complete back-up systems, preserved in a separate way so that a single ransomware attack doesn't take out both the original and the back-up."


Keith Fricke, principal consultant at tw-Security, says the disruptions to healthcare entities that depend on Nuance' transcription services is an important reminder to covered entities about the need to assess the risks posed by business associates.


"For too long, covered entities have taken the signed business associate agreement at face value," he says. "Nuance's recent ransomware event underscores the importance of covered entities digging a little deeper into the security practices of the vendors to whom they entrust protected health information. ... This incident underscores why the HIPAA Security Rule has provisions for response plans, disaster recovery plans and data backups."