Nuance struggling to recover after Petya cyber attack

Register now

Many doctors still can’t use a transcription service made by Nuance Communications three weeks after the company was hit by a powerful, debilitating computer attack.

Integrated delivery systems, including Beth Israel Deaconess in Boston and the University of Pittsburgh Medical Center said eScription, a Nuance product that enables physicians to dictate notes from a telephone, still isn’t functioning. The outage obliterated doctors’ instructions to patients, forcing some to revert to pen and paper.

The computer virus, called Petya, has sent ripples throughout the healthcare industry, which is frequently targeted by hackers, said Michael Ebert, a partner with KPMG who advises health and life-science companies on cybersecurity.

The University of Pittsburgh Medical Center, a system of 25 hospitals and 3,600 doctors, said its dictation and transcription services are still affected “with no estimated time of resolution.” The organization is using features of medical records systems made by Cerner and Epic Systems in the interim, said Ed McCallister, the Pittsburgh system’s chief information officer.

After acknowledging June 28 that portions of its network were affected, Nuance, based in Burlington, Mass., is still picking up the pieces. In addition to transcription, Nuance named about 10 other affected products, including those used for radiology, billing and software that tracks quality of care.

About half of the company’s $1.95 billion in revenue came from its healthcare and dictation business last year. The malware attack represents a big risk for Nuance, as many of its customers use products that appear to have been affected, according to Bloomberg Intelligence analyst Mandeep Singh.

“Any time there is a cyberattack and a company is exposed to that threat, that presents both reputational risk as well as the risk from disruption,” he said. “Since a lot of the deals get signed toward the end of the quarter, the timing of it could have impacted certain deal closures.”

Nuance said it has been fixing affected systems, enhancing security and bringing customers back online. The company declined to say how many clients were affected by the attack.

“We are doing everything within our power to support our healthcare customers and provide them with the information and resources they need to provide quality patient care, including offering an alternative system and solutions,” company spokesman Richard Mack said this week. “We have no indication that any customer information has been lost or removed from the network.”

The loss of service is an invitation to customers to seek other products and vendors, such MModal, a Nuance rival. Even though Intermountain Health Care, a Salt Lake City-based company that operates 22 hospitals, wasn’t affected, it turned off all its Nuance products and is using other transcription tools, said Daron Cowley, a spokesman.

At Beth Israel Deaconess, a Harvard-affiliated hospital, doctors who have been accustomed to using Nuance’s telephone-based product are switching to its Dragon system, where physicians dictate into a computer, making edits as they go.

That still means lost revenue for Nuance. While the computer-based product is a single software purchase, Nuance bills for eScription by each line of text. So far, it’s been three weeks of revenue they can’t get back, and more users may drop away, said John Halamka, Beth Israel’s chief information officer.

“The hardest thing for a clinician is a change in workflow,” he said. “If you’ve changed for a couple of weeks, you might not go back.”

Nuance has done well to try to maintain customers in the aftermath of the attack, KPMG’s Ebert said, but the damage has already been done. “They’re probably going to have a bad quarter,” he said.

For reprint and licensing requests for this article, click here.