Geisinger is notifying its sufferers that a few of their private info could have been accessed in an information breach allegedly perpetrated by a former worker of Nuance Communications, which supplies IT companies for the well being system.
WHY IT MATTERS
The Danville, Pennsylvania-based nonprofit, which serves 1.2 million individuals at greater than 130 websites throughout the state, introduced Monday that it found a former third-party worker had accessed affected person info on November 29, 2023 – two days after that worker had been terminated by Nuance.
Geisinger, part of Risant Health, stated that, when it found the unauthorized entry, it instantly notified Nuance, and the Microsoft-owned enterprise affiliate shut down the previous worker’s accounts and prevented their entry to information.
The worker could have accessed protected info, together with dates of start, addresses, admit and discharge or switch codes, medical document numbers, race and gender info, telephone numbers, and facility identify abbreviations, for multiple million Geisinger sufferers, in response to the well being system’s statement.
Nonetheless, no claims or insurance coverage info, bank card or checking account numbers, different monetary info, or Social Safety numbers had been breached within the incident, Geisinger stated.
Affected people haven’t been notified till now attributable to a legislation enforcement investigation, which resulted in an unnamed particular person dealing with expenses, the well being system famous.
Nuance is mailing notifications to the affected people.
Geisinger inspired affected sufferers to evaluate well being plan statements and phone their insurer instantly in the event that they see companies they didn’t obtain.
THE LARGER TREND
This newest knowledge breach is a recent reminder that cyberattacks don’t all the time come from cybergangs or state-supported cyberterrorism. Insider threats enhance with worker terminations, a phenomenon often called the termination gap.
Leaving a terminated worker’s entry credentials lively for probably months after they’ve left a company is a rising vulnerability exploited for cyberattacks, in response to Joel Burleson-Davis, senior vp of worldwide cyber engineering at Imprivata.
“Collaboration between healthcare IT and HR is essential for efficient insider menace mitigation,” he instructed Healthcare IT Information final yr.
Nonetheless, when a enterprise affiliate’s worker is terminated, healthcare organizations can get caught in HIPAA violations. The healthcare sector leads in third-party data breaches, and sources of threat embrace specialised platforms that combine with digital well being information and different info programs.
ON THE RECORD
“Our sufferers’ and members’ privateness is a prime precedence, and we take defending it very severely,” Jonathan Friesen, Geisinger’s chief privateness officer, stated in an announcement. “We proceed to work carefully with the authorities on this investigation, and whereas I’m grateful that the perpetrator was caught and is now dealing with federal expenses, I’m sorry that this occurred.”
Andrea Fox is senior editor of Healthcare IT Information.
E-mail: afox@himss.org
Healthcare IT Information is a HIMSS Media publication.