Geisinger, a major healthcare organization in Pennsylvania, has reported a data breach involving a former employee of Nuance, an IT service provider they hired. This shows the risks of using third-party services in healthcare. Geisinger, which runs 134 care sites and ten hospitals serving 1.2 million people, found the breach in November 2023. They quickly acted to block the person’s access to their systems.
The breach occurred when a former Nuance employee accessed Geisinger’s patient database two days after being terminated. Geisinger detected the unauthorized access on November 29, 2023, and immediately informed Nuance, who then blocked the employee’s access.
Subsequently, law enforcement authorities were notified, leading to the former employee’s arrest and charges being filed against them. This rapid response highlights the importance of swift action in mitigating data breaches and protecting sensitive information.
The compromised data includes personal information such as full names, phone numbers, dates of birth, addresses, admit and discharge or transfer codes, medical record numbers, race, gender, and facility name abbreviations.
Geisinger Data Breach by Former Nuance Employee Highlights Risks of Third-Party Services in Healthcare
The specific data exposed varies for each individual based on the services they received from Geisinger. Notably, financial information such as insurance details, credit card numbers, bank account numbers, and Social Security Numbers were not impacted, which helps contain the potential damage from the breach.
Despite the measures taken, it remains uncertain how the former employee intended to use the stolen data or if it has already been disseminated to cybercriminals.
Consequently, potentially affected individuals have been advised to remain vigilant, review their statements carefully, and report any unfamiliar entries to their health insurers. The breach underscores the potential risks posed by former employees with non-revoked access credentials, who may act out of spite and aim to harm the organization’s reputation and operations.
In response to the breach, Lynch Carpenter, a law firm, has initiated an investigation to assess the incident’s scope and explore the possibility of a class-action lawsuit against Geisinger.
This investigation could lead to further legal repercussions for the organization and highlights the broader implications of data breaches in the healthcare sector. The incident serves as a critical reminder of the need for stringent security measures and regular audits of access permissions to prevent unauthorized data access and protect patient privacy.
