Data Breaches Announced by Langdon & Company; Michigan Medicine

Posted by Steve Alder

A cyberattack has been announced by the North Carolina accountancy firm Langdon & Company, and Michigan Medicine has experienced a mailing incident that exposed patient information.

Langdon & Company, North Carolina

Langdon & Company, LLP, a certified public accountancy firm based in Garner, North Carolina, has recently notified 46,061 individuals about a breach of some of their protected health information. Langdon & Company is a business associate of Easterseals North Carolina & Virginia, which provides services to individuals with disabilities.

Unusual network activity was identified by the accountancy firm on April 28, 2024. Cybersecurity experts were engaged to investigate the activity and determine the nature and scope of the activity. The forensic investigation revealed unauthorized network access between April 21, 2024, through April 28, 2024, during which time files were exfiltrated from its network.

It has taken more than a year to review the affected files and issue notification letters. Langdon & Company said the delay was due to the extensive analysis required to review all the affected data. The data review was not finalized until June 3, 2025, and notification letters were mailed on or around August 1, 2025. The data involved varied from individual to individual and may have included names in combination with one or more of the following: address, birth date, Taxpayer identification number, Social Security number, financial account information, medical information, health insurance information, and/or digital signature.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services, steps have been taken to improve data security, and any information that does not need to be retained for business purposes or legal reasons is being destroyed.

Michigan Medicine

Michigan Medicine has notified 1,015 patients about the exposure of a limited amount of their protected health information as a result of a mailing error. On June 27, 2025, potential participants in a research study were contacted by mail regarding the study. The requests were sent on postcards, which were not in envelopes, resulting in the exposure of protected health information to anyone who may have come into contact with the postcards. When the error was identified, the research study staff took immediate action to prevent any further postcards from being mailed.

The incident was investigated, and revealed that the University of Michigan’s Institutional Review Board (IRB), which is responsible for oversight of research studies, had mistakenly approved the use of postcards for contacting study participants. IRB is taking steps to ensure that similar incidents are prevented in the future, including improving education about protecting PHI in communication materials.

Michigan Medicine has experienced eight reportable data breaches since 2018 that have affected more than 500 individuals, including two phishing incidents last year that each affected more than 50,000 individuals. “We take patient privacy very seriously, and we regret this incident. Whenever situations like this occur, we immediately take steps to investigate,” said Jeanne Strickland, Michigan Medicine Chief Compliance Officer. “We will analyze this incident and review our safeguards and make changes if needed to protect those we care for.”

The post Data Breaches Announced by Langdon & Company; Michigan Medicine appeared first on The HIPAA Journal.

Nuance Communications Settles MOVEit Lawsuit for $8.5 Million

Posted by Steve Alder

A District Court judge has recently given preliminary approval of an $8.5 million settlement to resolve a consolidated class action complaint against the HIPAA business associate Nuance Communications over a May 2023 data breach.

Nuance Communications is a Microsoft-owned computer software company based in Burlington, Massachusetts. The company provides speech recognition solutions and is a vendor to the healthcare industry.  Its AI-powered healthcare software solutions are used by physicians and radiologists to deliver personalized and connected experiences to improve care management.

Nuance used Progress Software’s MOVEit Transfer software solution for file transfers. In May 2023, a hacking group known to target file transfer solutions found and exploited a zero-day vulnerability that allowed access to data stored within the MOVEit environment.  Nuance has previously confirmed that 13 of its healthcare provider clients were affected. The breached data included names, addresses, email addresses, birth dates, and information related to health records and health insurance. Nuance said 1,225,054 individuals were affected. In total, the breach involved unauthorized access to the personal data of approximately 93 million individuals.

Many class action lawsuits were filed in relation to the MOVEIt data breach, six of which were filed against Nuance Communications and were consolidated into a single complaint – In Re: MOVEit Customer Data Security Breach Litigation – as the lawsuits had overlapping claims. The lawsuits alleged that Nuance Communications was negligent by failing to implement appropriate safeguards to ensure all data within the MOVEit system was protected against unauthorized access.

Nuance denies liability for all claims and maintains that there was no wrongdoing, has not violated anyone’s privacy, nor breached any contract; however, it chose to settle the litigation. Under the terms of the settlement, Nuance has agreed to create an $8.5 million settlement fund to cover attorneys’ fees (up to $2,833,333.33), attorneys’ expenses, settlement administration and notice costs ($550,000), and class representative awards ($2,500 per named plaintiff). After those costs have been deducted from the settlement, the remainder will be used to pay for benefits to class members.

Under the terms of the settlement, class members may submit a claim for reimbursement of out-of-pocket expenses and losses linked to the data breach. Claims may be submitted for ordinary losses up to a maximum of $2,500 per class member, and up to $10,000 for reimbursement of extraordinary losses. Claims for losses can include up to 4 hours of lost time at $25 per hour.

Alternatively, class members may submit a claim for a cash payment, which is expected to be appropriately $100 per class member, although it is subject to a pro rata adjustment depending on the number of claims received. All class members are entitled to claim 2 years of credit monitoring and identity theft protection, and insurance services.

The Honorable Allision D. Burroughs of the U.S. District Court for the District of Massachusetts has recently given preliminary approval of the settlement, and the final approval hearing is scheduled for March 18, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 24, 2025, and the deadline for submitting claims is 30 days later.  More than 100 other lawsuits filed over the MOVEit data breach are pending. Some of the other affected companies have already announced settlements.

The post Nuance Communications Settles MOVEit Lawsuit for $8.5 Million appeared first on The HIPAA Journal.

Warnings Issued About RCE Vulnerabilities in FortiSIEM & N-able N-central

Posted by Steve Alder

Warnings have been issued about a critical vulnerability in Fortinet FortiSIEM with publicly available exploit code and two actively exploited vulnerabilities in N-able N-central.

FortiSIEM

FortiSIEM is a central security information and event management (SIEM) solution that is used by network defenders for logging, network telemetry, and security incident alerts. FortiSIEM is commonly used by large enterprises, healthcare providers, and government entities. Fortinet has issued a warning about a command injection flaw that can be exploited remotely by an unauthenticated attacker, for which exploit code exists in the wild. As such, it is essential to patch promptly to fix the vulnerability before it can be exploited.

The vulnerability, CVE-2025-25256, is a critical flaw affecting FortiSIEM versions 5.4 to 7.3 and has a CVSS base score of 9.8 out of 10. Successful exploitation of the flaw would allow an unauthenticated attacker to remotely execute code or commands via crafted CLI requests. Fortinet did not state whether the vulnerability has already been exploited, only that functional exploit code was found in the wild.

Fortinet has fixed the vulnerability in the following versions:

  • FortiSIEM 7.3.2
  • FortiSIEM 7.2.6
  • FortiSIEM 7.1.8
  • FortiSIEM 7.0.4
  • FortiSIEM 6.7.10

Users of FortiSIEM versions 5.4 to 6.6 should ensure that they upgrade to a supported version that is patched against the vulnerability. If it is not possible to update to a patched version, Fortinet has suggested a workaround, which involves limiting access to the phMonitor on port 7900.

N-able N-central

N-able N-central is a remote monitoring and management (RMM) solution, commonly used by managed service providers (MSPs) to manage and maintain devices on their clients’ networks. Two vulnerabilities have been identified that are under active exploitation.

The vulnerabilities are tracked as CVE-2025-8875 – an insecure deserialization vulnerability that could allow command execution, and CVE-2025-8876 – a command injection vulnerability due to improper sanitization of user input. No CVSS scores have currently been issued for the vulnerabilities; however, CISA warns that both are under active exploitation. N-able explained in a security alert that the vulnerabilities require authentication to exploit.

N-able has released patches to fix the vulnerabilities, and customers are urged to update to version 2025.3.1 as soon as possible. The fixed version was released on August 13, 2025, and further information about the vulnerabilities will be released by N-able in three weeks, to give customers time to update to a fixed version.

The post Warnings Issued About RCE Vulnerabilities in FortiSIEM & N-able N-central appeared first on The HIPAA Journal.