Microsoft-owned vendor blamed for massive healthcare breach

US-based Geisinger is warning patients of a security breach at one of its vendors that has likely compromised the data of more than a million of the healthcare giant’s patients.

In a November incident, the company said, one of the former employees of Microsoft-owned Nuance Communications exploited continued access to corporate files long after the person was fired and made copies of some sensitive records.

“On Nov. 29, 2023, Geisinger discovered and immediately notified Nuance that a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated,” the company said in a blog post. “Upon learning this, Nuance permanently disconnected its former employee’s access to Geisinger’s records.”

Nuance has been a Microsoft-owned business for over three years and provides information technology services to Geisinger.

“We are cooperating with law enforcement and doing what is necessary to support our customer,” a Microsoft spokesperson said.

Some sensitive data was stolen

Through an internal investigation, Geisinger found that more than one million patients were potentially affected by the incident, having their personal and healthcare information compromised.

“The information varied by patient but could have included names in combination with one or more of the following: date of birth, address, admit and discharge or transfer code, medical record number, race, gender, phone number and facility name abbreviation,” the company said.

The hospital giant, however, reassured that no claims or insurance information, credit card or bank account numbers, other financial information, or Social Security numbers were inappropriately accessed by the company’s former employee.

“Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously,” Jonathan Friesen, Geisinger’s chief privacy officer, said in the post. “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”

Not the first case of negligence for Nuance

This isn’t the first time Nuance has been found guilty of a security mishap as the company has, at least on one previous occasion, been charged with an awkwardly similar failing. In 2018, news sources reported that a former Nuance employee managed to access patients’ personal information, leading to a break-in at San Francisco’s Department of Public Health.

While Nuance had not responded to queries until the publishing of this article, Geisinger had, in the post, provided some explanation for the late reporting of the incident. “An investigation was launched, and law enforcement was engaged,” the company said. “Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now.”

The development adds to Microsoft’s woes as the Windows maker recently faced attacks by Chinese spies that exploited compromised Exchange Online, a cloud-based messaging platform, to hack into US official accounts.  The former Nuance employee has been arrested and is facing federal charges, Geisinger added.