Dive Brief:
- A data breach at Geisinger may have exposed the personal information of more than 1.2 million patients, according to a report filed with federal regulators.
- In late November, the Pennsylvania-based health system discovered a former employee of Nuance Communications, a Microsoft subsidiary, had accessed certain patient information two days after the employee was terminated, according to a Geisinger press release published last week.
- Law enforcement asked Nuance to delay notifying patients about the breach until now to avoid impacting their investigation. The worker has been arrested and is now facing federal charges, Geisinger said.
Dive Insight:
Geisinger, which operates 10 hospital campuses and was recently acquired by Kaiser Permanente’s Risant Health, notified Nuance, a clinical documentation vendor, on Nov. 29 that the former employee had accessed patients’ health data.
After discovering the breach, Nuance disconnected the employee’s access to the health system’s patient records and notified law enforcement.
In the investigation, Nuance discovered the former employee may have accessed and stolen information pertaining to more than 1 million patients at Geisinger, according to the health system.
Data exposed by the employee varied by patient, but could include names, birth dates, addresses, admit and discharge or transfer codes, medical record numbers, race, gender, phone numbers and facility names.
No claims or insurance information, financial information or Social Security numbers were accessed by the former employee.
“We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened,” Jonathan Friesen, Geisinger’s chief privacy officer, said in a statement.
Nuance did not return a request for comment by press time.
Cybersecurity has become a significant undertaking for health systems as data breaches increase, compromising sensitive patient data.
Large data breaches reported in 2023 affected more than 134 million people, a 141% increase from 2022, according to the HHS’ Office for Civil Rights, which administers the HIPAA privacy law.