News
Fired Nuance Employee Compromises Data of Over 1M Patients
A former employee of Microsoft-owned Nuance was responsible for a security breach last year affecting over 1 million patients of Geisinger, a healthcare services provider in Pennsylvania.
Geisinger operates 10 hospitals and 133 specialty clinics across state. Last week, it disclosed a security incident involving a former employee of its technology partner, Nuance, a maker of AI voice recognition and other software. Nuance is owned by Microsoft, having been acquired by the tech giant in 2022 for nearly $20 billion.
Geisinger discovered the breach on November 2023, tracing it to a former Nuance employee that had been fired just days before but still had access to Geisinger account data. Upon being notified by Geisinger of the breach, Nuance "permanently disconnected" the former employee's access, but not before they were able to harvest the data of over 1 million patients.
Besides the patients' names, the compromised data includes their birthdays, addresses, gender, race, phone numbers, medical record numbers, facility names, and admission/discharge or transfer codes.
However, said Geisinger, "[n]o claims or insurance information, credit card or bank account numbers, other financial information, or Social Security numbers were inappropriately accessed."
Geisinger also notified authorities, who investigated. The former employee has since been arrested and is currently facing federal charges.
However, Geisinger explained that it had not been allowed to contact the affected patients until now to avoid potentially impending the investigation.
On June 28, a $5 million class-action lawsuit naming both Geisinger and Nuance was filed with the U.S. District Court for the Middle District of Pennsylvania by one of the affected patients. In the complaint, the plaintiff holds Geisinger and Nuance responsible for "a substantial and imminent risk of identity theft and medical identity theft; the wrongful disclosure and loss of confidentiality of his highly sensitive PII/PHI [personally identifiable information and protected health information]; deprivation of the value of his PII/PHI; and lost time and money mitigating the effects of the Data Breach; and overpayment for services that did not include adequate data security."