Anti-Malware , Risk Management , Technology

Congressional Committee Wants Nuance to Share NotPetya Details

Wants Transcription Company to Help Identify Lessons Learned
Congressional Committee Wants Nuance to Share NotPetya Details

A House committee is requesting a briefing with medical transcription services vendor Nuance Communications to learn details about the impact the global NotPetya malware attack in June has had on the company.

See Also: IoT is Happening Now: Are You Prepared?

The Oct. 19 letter to Nuance CEO Paul Ricci from Greg Walden, R-Ore., chair of the House Committee on Energy and Commerce, requests a "formal briefing." It follows similar letters Walden - and former oversight subcommittee chair Tim Murphy, R-Penn. - sent on September 20 seeking briefings with pharmaceutical maker Merck and former U.S. Department of Health and Human Services Secretary Tom Price about the NotPetya attacks.

Since the Sept. 20 letters were sent to Merck and HHS, Murphy has resigned from the House and Price has resigned from HHS amid separate controversies.

What Congress Wants to Learn

In the letter to Nuance, Walden notes the company's statements, as well as media reports, describing that Nuance's ability to provide vital transcription and dictation services to healthcare professionals was affected by the malware strain known as NotPetya.

"While Nuance has announced that impacted services have been fully restored, Nuance's original infection and its effects adds to the growing list of concerns about the potential consequences of cyber threats to the healthcare sector," Walden writes. "It is important, therefore, for the committee to understand the details of this event so we can work together to ensure appropriate lessons are identified and addressed. Learning from this event will not only benefit the healthcare sector, but also the millions of patients who depend on the availability of its products and services."

In the letter requesting a formal briefing by Nov. 2, Walden tells Nuance that "the committee wishes to better understand the circumstances surrounding Nuance's initial infection by NotPetya, as well as what steps it has taken in order to recover and resume full capabilities."

On July 21, the Waltham, Massachusetts-based company issued a financial statement warning Wall Street analysts that its fiscal 2017 third and fourth quarter revenue and earnings results would be negatively impacted by the June 27 ransomware attack.

In addition, Nuance on July 31 issued an unusual public letter to customers explaining why the medical transcription services vendor has decided not to report the security incident to federal regulators under the HIPAA breach notification rule.

In that letter, Nuance contended that the NotPetya attack did not result in a breach of ePHI that must be reported to regulators, despite the company acknowledging that the disruption to the medical transcription services it provides to healthcare organizations caused by the malware attack had also impacted the vendor's bottom line (see Nuance: NotPetya Attack Was Not a Reportable Health Data Breach.)


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network