Nuance says NotPetya attack led to $92 million in lost revenue

Nuance Communications, a software company that offers speech and imaging technology to a number of markets, including healthcare and finance, said the 2017 NotPetya malware attacks caused the company to lose $92 million in revenue, and that number is expected to grow as they push forward into 2018.

The NotPetya disclosure was referenced in the company’s latest 10-Q filing with the Securities and Exchange Commission (SEC).

According to the filing, the June 27, 2017 attack affected systems used by their healthcare customers, primarily for transcription services, and systems used by their imaging division to receive and process orders.

“For fiscal year 2017, we estimate that we lost approximately $68.0 million in revenues, primarily in our Healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the Malware Incident. Additionally, we incurred incremental costs of approximately $24.0 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses,” the report states.

In addition, the NotPetya incident had an impact on the company during the first-quarter of FY2018 including hits to expected future earnings in on-demand healthcare solutions and on-demand contracts.

“In addition, we expect to expend additional resources during fiscal year 2018 and beyond to continue to enhance and upgrade information security,” the report adds.

Nuance says the attack on their systems started at 07:00 a.m. EST on June 27, 2017, which caused outages that lasted early August.

In a blog post on July 28, 2017, Satish Maripuri, executive vice president and general manager of Nuance Healthcare, said the company was “restoring client functionality quickly and safely,” adding that the momentum was strong and the company was “moving rapidly to complete a recovery process for all affected clients.”

A company update page shows a final recovery update on August 4, 2017.

Nuance was one of the U.S. companies hardest hit by the malware, which the US government called “a reckless and indiscriminate cyber-attack” by the Russian military. The UK government issued a similar statement condemning the Russian military for alleged acts. Russian officials denied any connection to the incident, calling the accusations unsubstantiated and groundless.

An investigation by the company determined that NotPetya attack constituted a security incident under the HIPAA Security Rule, but not a breach of PHI under the BNR, a stance that was repeated in a notification letter to customers.

Nuance’s 10-Q report also referenced a data breach of their hosted Nuance transcription platform, which impacted 45,000 individuals. Customers on that platform were notified and moved to the eScription transcription platforms shortly after the incident occurred.

Edit: This story, and headline was updated to correct the total losses reported to the SEC. The actual figure is $92 million.