Microsoft’s Nuance Coughs Up $8.5m To Rid Itself Of Moveit Breach Suit
Microsoft-owned talk-to-text outfit Nuance has agreed to cough up $8.5 million to settle a class action lawsuit over the sprawling MOVEit Transfer mega-breach – although it admits no liability.
The proposed deal [PDF], filed in a Massachusetts federal court last week, would draw a line under litigation brought by individuals who claimed that the company failed to properly secure personal information later snatched by attackers exploiting Progress Software’s MOVEit vulnerability.
Nuance, best known for its medical transcription and speech recognition systems, was one of hundreds of organizations caught in the blast radius of the Clop ransomware gang’s 2023 mass exploitation of MOVEit Transfer. Court filings state that roughly 1.225 million people had their data siphoned from Nuance’s MOVEit environment.
The plaintiffs accused Nuance of negligence, arguing that the company could have prevented or at least blunted the incident with “reasonable data security measures.” They also pointed the finger at MOVEit developer Progress, claiming that the vendor hadn’t made clear to users – including Nuance – that MOVEit wasn’t a “set it and forget it” product when it came to securing transfers.
Nuance bristled at those allegations, countering that it couldn’t be negligent for relying on a trusted product already deployed by “thousands of businesses and government entities worldwide.” The firm stressed that it acted quickly once the flaw became public: taking its MOVEit instance offline, applying patches as Progress released them, and launching its own investigation.
Court filings also show Nuance planned to argue that negligence couldn’t be established because it had no direct contractual relationship with the individuals affected. The data at issue, it said, had been supplied by downstream healthcare providers and custodians. “Nuance denies these allegations and any fault or liability in this matter,” the memorandum reads.
Despite those repeated denials, Nuance opted to settle rather than roll the dice in court. If approved, the deal will provide payments to affected individuals as well as credit-monitoring services.
The $8.5 million settlement is modest by MOVEit class-action standards, where payouts can stretch into the high single digits or even tens of millions. What really sets Nuance apart is the context: it operates firmly in the healthcare space, where exposed patient data draws extra scrutiny from regulators and the media.
Nuance has consistently characterized itself as a victim, not a culprit, in the Clop campaign, which indiscriminately hoovered up files from exposed MOVEit servers worldwide.
The MOVEit breach has since become one of the most litigated cyber incidents in US history. Progress Software itself faces a swelling docket of lawsuits, while dozens of class actions have targeted its customers. For Microsoft-owned Nuance, this settlement may finally close the book on its MOVEit headache, though the wider fight over liability in supply-chain breaches is still far from settled. ®
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
