A District Court judge recently approved a settlement of a consolidated class action complaint for $8.5 million against Nuance Communications in association with a data breach in May 2023.
This computer software firm, based in Burlington, Massachusetts, is owned by Microsoft. HIPAA business associate, Nuance Communications, offers speech recognition programs to clients in the healthcare industry, including HIPAA-compliant entities. Doctors and radiologists use its AI-powered healthcare software programs to provide individualized and connected experiences for better care management.
Nuance utilized Progress Software’s MOVEit Transfer software program for transferring files. In May 2023, a hacking group recognized for targeting file transfer solutions exploited a zero-day vulnerability to access information saved in the MOVEit environment. Nuance has earlier stated that 13 of its healthcare company clients were impacted. The breached information included names, email addresses, addresses, dates of birth, and data associated with medical records and health insurance. Nuance mentioned that the breach affected 1,225,054 individuals. Including all breached entities, the unauthorized access resulted in the compromise of the personal information of around 93 million individuals.
Several class action lawsuits were submitted in connection with the MOVEIt data security breach. The six lawsuits filed against Nuance Communications were combined into one, In Re: MOVEit Customer Data Security Breach Lawsuit, since the lawsuits had similar claims. The lawsuits complained about the negligence of Nuance Communications in failing to apply proper safety measures to make sure all information in the MOVEit system was secured against unauthorized access.
Nuance does not admit any liability for all claims and states that it did no wrong; it did not commit any privacy violation or breach of contract. Nonetheless, it opted to resolve the lawsuit. As per the terms of the settlement, Nuance will set up an $8.5 million settlement fund to pay for attorneys’ fees ($2,833,333.33 maximum), attorneys’ costs, settlement management and notice expenses ($550,000), and $2,500 class representative awards for each named plaintiff. The outstanding settlement fund, after deducting all costs, will be used for paying class members’ benefits.
With the terms of the settlement, class members could file a claim to reimburse out-of-pocket expenditures and losses associated with the data breach. Claims could be filed to reimburse up to $2,500 ordinary losses per class member, and up to $10,000 extraordinary losses. Claims for losses may be filed for up to 4 hours of lost time valued at $25 an hour.
As an alternative, class members could file a claim for approximately $100 cash payment per class member. The amount may be adjusted pro rata based on the number of claims submitted. All class members are eligible to avail credit monitoring and identity theft protection, and insurance services for 2 years.
The U.S. District Court for the District of Massachusetts’ Honorable Allision D. Burroughs gave preliminary approval of the settlement. The schedule of the final approval hearing is March 18, 2026. Those who want to object to or exempt themselves from the settlement should do so on or before November 24, 2025. The last day to file claims is 30 days after. There are over 100 pending lawsuits associated with the MOVEit data breach. Some of the impacted companies have already published their settlements.