Geisinger is informing its patients that some of their personal information may have been accessed in a data breach believed to have been committed by a former employee of Nuance Communications, a company that provides IT services to the healthcare industry.
WHY IT MATTERS
The Danville, Pennsylvania-based nonprofit, which serves 1.2 million people at more than 130 locations across the state, announced Monday that it discovered a former third-party worker had accessed patient information on Nov. 29, 2023 — two days after that worker was terminated by Nuance.
Geisinger, part of Risant Health, said that when it discovered the unauthorized access, it immediately notified Nuance, and Microsoft’s business partner closed the former employee’s accounts and access to data.
The employee may have had access to protected information, including dates of birth, addresses, admission and discharge or transfer codes, medical record numbers, race and gender information, telephone numbers and facility name abbreviations of more than one million Geisinger patients, according to the healthcare system data. rack.
However, no claims or insurance data, credit card or bank account numbers, other financial information or Social Security numbers were breached in the incident, Geisinger said.
Affected individuals have not yet been notified due to the law enforcement investigation, which led to an unnamed individual being charged, the health system said.
Nuance sends notifications to affected individuals.
Geisinger encouraged affected patients to review health plan statements and contact their insurer immediately if they see services they did not receive.
THE BIG TREND
This latest data breach is yet another reminder that cyber attacks don’t always come from cyber gangs or state-sponsored cyber terrorism. Insider threats increase when employees are laid off, a phenomenon known as the termination gap.
According to Joel Burleson-Davis, senior vice president of global engineering, cyber at Imprivata, leaving a terminated employee’s credentials active for potentially months after he or she has left the organization is an increasing vulnerability being exploited for cyber attacks.
“Collaboration between healthcare IT and HR is critical to effectively mitigating insider threats,” he shared Healthcare IT news last year.
However, when a business associate’s employee is fired, healthcare organizations can find themselves in violation of HIPAA. The healthcare industry is a leader in third-party data breaches, and sources of risk include specialized platforms that integrate with electronic health records and other information systems.
ON THE RECORD
“The privacy of our patients and members is a top priority, and we take protecting it very seriously,” Geisinger Chief Privacy Officer Jonathan Friesen said in a statement. “We continue to work closely with authorities in this investigation, and while I am grateful that the perpetrator was apprehended and is now facing federal charges, I am sorry that this happened.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.