June 27, 2024 American healthcare provider Geisinger has revealed that over a million of its patient records may have been stolen, with the breach attributed to a former employee of Nuance Communications, a Microsoft subsidiary.
The security breach, discovered in November, occurred after Nuance terminated an employee who allegedly retained access to corporate files for two additional days. During this period, the ex-employee is suspected of accessing and copying sensitive records from Geisinger, which operates 13 hospitals and has over 600,000 members.
The stolen data includes personal information such as birth dates, addresses, hospital admission and discharge records, and other medical data. Fortunately, no financial or insurance information was compromised.
Geisinger notified Nuance immediately upon discovering the breach on November 29, prompting the IT provider to cut off the former employee’s access and alert law enforcement. Authorities requested a delay in notifying patients to avoid impeding their investigation. The ex-employee has since been arrested and faces federal charges, although specific charges have not been disclosed.
Jonathan Friesen, Geisinger’s chief privacy officer, expressed regret over the incident: “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”
This isn’t the first time Nuance has faced criticism for security lapses. In 2018, a similar incident occurred when a former Nuance employee accessed patient information at San Francisco’s Department of Public Health.
Microsoft, which acquired Nuance three years ago, has also been scrutinized for its security practices. Recent breaches involving Exchange Online and cloud-based email accounts of US officials have raised concerns about Microsoft’s cybersecurity measures. AJ Grotto, a former White House cyber policy director, even labeled Microsoft a national security threat due to these recurring issues.
In response to the Geisinger incident, a Microsoft spokesperson stated: “We are cooperating with law enforcement and doing what is necessary to support our customer.”
As investigations continue, this incident underscores the critical need for stringent security protocols, especially when handling sensitive healthcare data. Ensuring that terminated employees are immediately cut off from access to corporate systems is a fundamental step in protecting against data breaches.
