close
close

Microsoft subsidiary Nuance held responsible for data theft by former employees

Facepalm: When it comes to managing digital data and user privacy, disgruntled former employees can become a threat for a variety of reasons. One such incident occurred in November 2023, with Microsoft indirectly involved as the owner of the biometrics company used by a major healthcare provider.

Geisinger Health, one of the leading healthcare providers in the US, suffered a serious security breach after a former Nuance employee accessed patient data without authorization. Confidential information on hundreds of thousands of people may have been stolen, but the extent of the abuse is currently unclear.

Nuance, a speech recognition company acquired by Microsoft in 2021 for $19.7 billion, provides IT services to Geisinger, which operates 13 hospitals and serves more than 600,000 commercial and government members. The security incident occurred in November, and Geisinger was promptly notified by Nuance of the former employee’s unauthorized access.

Both companies launched investigations and were asked by U.S. law enforcement to delay notifying affected patients until now. Nuance’s investigation confirmed that the former employee “may have accessed and stolen information” relating to more than one million patients cared for by Geisinger.

The stolen data varied by patient, but could have included names, birth dates, addresses, medical record numbers, race, gender, phone numbers and more, Geisinger confirmed. There was no “unauthorized access to insurance, credit card, bank account or other financial information,” the company said.

Nuance removed the former employee from its systems shortly after the data breach was discovered, and the individual has since been arrested by federal authorities. Jonathan Friesen, Geisinger’s chief privacy officer, stressed that patient privacy is the company’s “top priority” and that Geisinger is working closely with authorities to complete the ongoing investigation.

Nuance has previously been accused of not properly managing the access rights of former employees. Since Nuance became part of Microsoft three years ago, the security issues now directly impact the parent company. CEO Satya Nadella recently stated that operational security is the company’s top priority.