Skip to content

Geisinger alerts patients to data incident involving terminated Nuance employee

  • Health

Geisinger is notifying its patients that some of their personal information may have been accessed in a data breach allegedly perpetrated by a former employee of Nuance Communications, which provides IT services for the health system.

WHY IT MATTERS

The Danville, Pennsylvania-based nonprofit, which serves 1.2 million people at more than 130 sites across the state, announced Monday that it discovered a former third-party employee had accessed patient information on November 29, 2023 – two days after that employee had been terminated by Nuance.

Geisinger, part of Risant Health, said that, when it discovered the unauthorized access, it immediately notified Nuance, and the Microsoft-owned business associate shut down the former employee’s accounts and prevented their access to records.

The employee may have accessed protected information, including dates of birth, addresses, admit and discharge or transfer codes, medical record numbers, race and gender information, phone numbers, and facility name abbreviations, for more than one million Geisinger patients, according to the health system’s statement.

However, no claims or insurance information, credit card or bank account numbers, other financial information, or Social Security numbers were breached in the incident, Geisinger said.

Affected individuals have not been notified until now due to a law enforcement investigation, which resulted in an unnamed individual facing charges, the health system noted. 

Nuance is mailing notifications to the affected individuals. 

Geisinger encouraged affected patients to review health plan statements and contact their insurer immediately if they see services they did not receive.

THE LARGER TREND

This latest data breach is a fresh reminder that cyberattacks do not always come from cybergangs or state-supported cyberterrorism. Insider threats increase with employee terminations, a phenomenon known as the termination gap.

Leaving a terminated employee’s access credentials active for potentially months after they’ve left an organization is a growing vulnerability exploited for cyberattacks, according to Joel Burleson-Davis, senior vice president of worldwide cyber engineering at Imprivata.

“Collaboration between healthcare IT and HR is crucial for effective insider threat mitigation,” he told Healthcare IT News last year.

However, when a business associate’s employee is terminated, healthcare organizations can get caught in HIPAA violations. The healthcare sector leads in third-party data breaches, and sources of risk include specialized platforms that integrate with electronic health records and other information systems. 

ON THE RECORD

“Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously,” Jonathan Friesen, Geisinger’s chief privacy officer, said in a statement. “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Leave a Reply

Your email address will not be published. Required fields are marked *