Geisinger alerts patients to data incident involving fired Nuance employee

Geisinger is advising its patients that some of their personal information may have been accessed as part of a data breach allegedly committed by a former employee of Nuance Communications, a provider of healthcare IT services.

WHY IT IS IMPORTANT

The Danville, Pennsylvania-based nonprofit, which serves 1.2 million people at more than 130 locations across the state, said Monday that it discovered that a former third-party employee accessed patient information on Nov. 29, 2023 – two days after that employee was fired from Nuance.

Geisinger, a Risant Health company, said it immediately notified Nuance after discovering the unauthorized access and that the Microsoft business partner subsequently locked the former employee’s accounts and blocked his data access.

The employee may have accessed protected information such as birth dates, addresses, admission and discharge or transfer codes, medical record numbers, race and gender information, phone numbers and facility name abbreviations of more than 1 million Geisinger patients, the health system’s statement said.

However, no claim or insurance data, credit card or bank account numbers, other financial information or Social Security numbers were compromised in the incident, Geisinger said.

The health system said the people concerned had not yet been notified due to the police investigation, which led to charges being brought against an unnamed person.

Nuance will send notifications to affected individuals by post.

Geisinger urged affected patients to check their health insurance statements and contact their insurer immediately if they discover services they have not received.

THE BIGGER TREND

This latest data breach is yet another reminder that cyberattacks do not always come from cybergangs or state-sponsored cyberterrorism. The insider threat increases as employees are laid off, a phenomenon known as the “termination gap.”

According to Joel Burleson-Davis, senior vice president of worldwide engineering, cyber at Imprivata, there is a risk that a terminated employee’s credentials may remain active for months after they leave the company, representing an increasing vulnerability that is being exploited for cyberattacks.

“Collaboration between healthcare IT and HR is critical to effectively mitigating insider threats,” he said News from healthcare IT last year.

However, if a business partner’s employee is terminated, healthcare organizations may be in violation of HIPAA. The healthcare sector is a leader in third-party data breaches, and sources of risk include specialized platforms that integrate with electronic health records and other information systems.

ORIENTED DATA

“The privacy of our patients and members is our top priority and we take protecting it very seriously,” Jonathan Friesen, Geisinger’s privacy officer, said in a statement. “We continue to work closely with authorities in this investigation and while I am grateful that the perpetrator was caught and is now facing charges in federal court, I am sorry that this happened.”

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.