Geisinger Health System has notified more than one million patients that their personal information may have been accessed by a former employee of their IT service provider, Nuance Communications Inc.
What happened
On November 29, 2023, Geisinger discovered that a former Nuance employee, Max Vance (also known as Andre J. Burke), accessed patient information two days after his termination. Geisinger immediately informed Nuance, who permanently revoked the employee's access and initiated an investigation. The former employee has since been arrested and faces federal charges.
The investigation revealed that Vance intentionally accessed the protected health information of over one million patients. The data may have included names, addresses, phone numbers, dates of birth, medical record numbers, admission/discharge/transfer codes, facility name abbreviations, race, and gender information.
While no claims, insurance information, financial information, or Social Security numbers were accessed after the former employee’s termination, Geisinger is taking steps to prevent future incidents.
The backstory
The recent data breach is not the first incident impacting Geisinger’s patient information. Previously, the Blackbaud breach affected 86,412 of Geisinger’s patients, compromising names, dates of birth, ages, dates of treatment, gender, departments of service, treating physicians, and medical record numbers.
While the Blackbaud breach did not compromise Social Security numbers or financial information, Geisinger must improve their data security measures to protect sensitive patient information and maintain trust.
What was said
Geisinger’s chief privacy officer, Jonathan Friesen, stated, “Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously… We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”
Furthermore, according to U.S. Code § 1030 - Fraud and related activity in connection with computers, the accused “intentionally accessed a computer without authorization and exceeded authorized access to a computer, and thereby obtained information from a protected computer, and the value of the information obtained exceeded $5,000.”
Why it matters
The recurring nature of these data breaches, including the prior Blackbaud breach affecting 86,412 Geisinger patients, shows the ongoing vulnerabilities in protecting sensitive patient information.
Providers must continuously improve their security measures and revoke employee access upon termination, ultimately preventing unauthorized access to protected health information (PHI) that can lead to non-compliance penalties.
The bottom line
Providers must improve their data security and immediately revoke terminated employees’ access to PHI. Affected patients should also review their health plan statements and report any unfamiliar services to their insurers. Additionally, they can contact Geisinger’s dedicated helpline for further information at 855-575-8722 with engagement number B124652.
Related: When do you need to implement access controls for HIPAA compliance?
