Geisinger reveals data breach by ex-employee affecting million patients

Compromised data included names, dates of birth, addresses, medical record numbers, and other personal details.

Over 2.7 billion records from US data firm leaked on criminal forum.

Geisinger recently disclosed that on 29 November, a former Nuance Communications employee detected unauthorised patient data access just two days after the employee’s termination. Nuance Communications, a technology service provider owned by Microsoft, has access to Geisinger’s patient records as part of their IT services agreement.

Upon notification of the breach, Nuance promptly revoked the ex-employee’s access to Geisinger’s records and initiated an investigation to assess the incident’s extent. Subsequent findings revealed that the former employee had illicitly obtained information about over one million Geisinger patients. The compromised data included details such as names, dates of birth, addresses, medical record numbers, race, gender, phone numbers, and facility name abbreviations.

Geisinger clarified that sensitive information like claims or insurance details, credit card numbers, bank account information, and Social Security numbers remained secure and were not accessed by the ex-employee. Following a thorough investigation, the former Nuance employee was apprehended and is currently facing federal charges. Geisinger’s chief privacy officer, Jonathan Friesen, emphasised the organisation’s commitment to safeguarding patient privacy, stating, ‘Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously.’ Friesen expressed gratitude for the swift resolution of the case while acknowledging the unfortunate breach.

The former Nuance employee, Max Vance, is now undergoing legal proceedings at the US Middle District Court in Williamsport. Geisinger has advised all impacted individuals to remain vigilant by monitoring their credit reports, account statements, and benefits for any unusual activity. In case of suspicion, affected individuals are urged to report such incidents to the relevant authorities, including law enforcement agencies and the state attorney general.