Clinic

Geisinger, a prominent healthcare system in Pennsylvania, has announced a data breach involving a former employee of Nuance, an IT services provider contracted by the organization.

Geisinger is a non-profit organization that operates 134 care sites, ten hospitals, and the Geisinger Health Plan, serving a total of 1.2 million people. It employs 26,000 staff, including 1,600 doctors, and is considered one of Pennsylvania’s most important organizations.

An announcement published earlier this week explains that in November 2023, Geisinger detected unauthorized access to its patients’ database by a former Nuance employee.

Nuance was promptly informed and took action to block the former employee’s access to Geisinger’s systems holding patient records.

“On Nov. 29, 2023, Geisinger discovered and immediately notified Nuance that a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated,” reads the announcement.

“Upon learning this, Nuance permanently disconnected its former employee’s access to Geisinger’s records.”

Subsequently, Nuance informed the law enforcement authorities accordingly, and the former employee was arrested and charged.

According to the company’s investigation, the following information was compromised:

  • Full name
  • Phone number
  • Date of birth
  • Address
  • Admit and discharge or transfer code
  • Medical record number
  • Race and gender
  • Facility name abbreviation

The exact data types exposed varies per person, depending on what services they got through Geisinger.

This incident did not impact insurance information, credit card details, bank account number, Social Security Number (SSN), and other financial data.

It is unclear how exactly the former employee attempted to exploit the stolen data, or if it has been disseminated already to cybercriminals, so potentially impacted people are advised to remain vigilant.

Typically, sacked employees who access systems using non-revoked accounts/credentials do so out of spite, aiming to cause reputation and business damage.

Geisinger suggests that people who are notified about the breach carefully review their statements and notify their health insurers immediately if they see entries they don’t recognize.

Law firm Lynch Carpenter has already announced an investigation on the scope of the incident, exploring the potential for a class action lawsuit against Geisinger.