Former Nuance Communications Employee Accessed 1.2 Million Geisinger Records After Termination

Employee Employer HIPAA Violation Vaccine

A former employee of the Microsoft-owned HIPAA business associate, Nuance Communications, stole the protected health information of more than 1.2 million Geisinger patients two days after being terminated from Nuance.

Geisinger is a Danville, PA-based health system that operates 10 hospital campuses in south-central and northeastern Pennsylvania and was recently acquired by Risant Health. On November 29, 2023, Geisinger notified Nuance that one of its employees had accessed patient data. Nuance immediately terminated the former employeeโ€™s access rights and notified law enforcement about the unauthorized access. The law enforcement investigation confirmed that there had been unlawful access and the former employee is now facing federal charges.

Geisingerโ€™s investigation confirmed that the types of patient data accessed by the employee included names, addresses, phone numbers, birth dates, admission/discharge dates, medical record numbers, facility names, and patientsโ€™ race and gender. Social Security numbers, financial information, and health insurance information were not accessed. The types of data involved varied from patient to patient and the review confirmed that the protected health information of 1,276,026 individuals had been accessed. Neither Geisinger nor Nuance have stated the reason why the records were accessed or why the employee was terminated.

The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach. Geisinger did not state when it first learned about the unauthorized access but has confirmed that the delay in issuing notifications was due to a request from law enforcement. This is not unusual in insider breach incidents, as an announcement may hamper the law enforcement investigation. Geisinger announced the breach when it got the go-ahead from law enforcement.

The breach underscores the importance of compliance with the termination procedures stated in the administrative safeguards of the HIPAA Security Rule – 45 C.F.R ยง 164.308(a)(3)(ii)(C), which require regulated entities to โ€œimplement procedures for terminatingย accessย toย electronic protected health informationย when the employment of, or other arrangement with, aย workforceย member ends or as required.โ€

OCR has previously imposed financial penalties on HIPAA-regulated entities that have not complied with this provision, including Pagosa Springs Medical Center and the City of New Haven.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/