Geisinger is notifying patients that some of their personal information may have been accessed in a data breach believed to have been carried out by a former employee of Nuance Communications, the company that provides IT services to the health system.
WHY IT MATTERS
The Danville, Pennsylvania-based nonprofit, which serves 1.2 million people at more than 130 locations statewide, announced Monday that it discovered a former third-party employee had accessed patient information on November 29, 2023 – two days after the employee was arrested. terminated by Nuance.
Geisinger, part of Risant Health, said that when it discovered the unauthorized access, it immediately notified Nuance and its Microsoft-owned business partner closed the former employee’s account and blocked they access the profile.
The employee may have accessed protected information, including dates of birth, addresses, admission, discharge or transfer codes, medical record numbers, race and gender information, phone numbers and medical facility initials for more than one million Geisinger patients, the health system said in a statement.
However, Geisinger said no claims or insurance information, credit card or bank account numbers, other financial information or Social Security numbers were compromised in this incident.
The health system noted that affected individuals have not been notified to date due to a law enforcement investigation, which resulted in an unnamed individual facing charges.
Nuance is sending notices to affected individuals.
Geisinger encourages affected patients to review their health insurance plan statements and contact their insurance company immediately if they see services they did not receive.
BIGGER TREND
This latest data breach is a fresh reminder that cyberattacks do not always come from cyber gangs or state-sponsored cyber terrorism. Insider threats increase when employees are fired, a phenomenon known as the layoff gap.
According to Joel Burleson-Davis, senior vice president of global network engineering at Imprivata, leaving a fired employee’s login information active for months after they leave the organization is a vulnerability. increasingly exploited for cyber attacks.
“Collaboration between healthcare IT and HR is critical to effectively mitigating insider threats,” he says. Healthcare IT News last year.
However, when a business partner’s employee is terminated, healthcare organizations can be in violation of HIPAA. The healthcare industry leads in third-party data breaches, and sources of risk include specialized platforms that integrate with electronic health records and other information systems.
ON PROFILE
“The privacy of our patients and members is a top priority and we take protecting this right very seriously,” Jonathan Friesen, Geisinger’s chief privacy officer, said in a statement. “We continue to work closely with authorities in this investigation, and while I am grateful that the perpetrator has been arrested and is now facing federal charges, I am sorry that this happened.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
