Former Nuance Communications Employee Accessed 1.2 Million Geisinger Records After Termination
A former employee of the Microsoft-owned HIPAA business associate, Nuance Communications, stole the protected health information of more than 1.2 million Geisinger patients two days after being terminated from Nuance.
Geisinger is a Danville, PA-based health system that operates 10 hospital campuses in south-central and northeastern Pennsylvania and was recently acquired by Risant Health. On November 29, 2023, Geisinger notified Nuance that one of its employees had accessed patient data. Nuance immediately terminated the former employeeโs access rights and notified law enforcement about the unauthorized access. The law enforcement investigation confirmed that there had been unlawful access and the former employee is now facing federal charges.
Geisingerโs investigation confirmed that the types of patient data accessed by the employee included names, addresses, phone numbers, birth dates, admission/discharge dates, medical record numbers, facility names, and patientsโ race and gender. Social Security numbers, financial information, and health insurance information were not accessed. The types of data involved varied from patient to patient and the review confirmed that the protected health information of 1,276,026 individuals had been accessed. Neither Geisinger nor Nuance have stated the reason why the records were accessed or why the employee was terminated.
The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach. Geisinger did not state when it first learned about the unauthorized access but has confirmed that the delay in issuing notifications was due to a request from law enforcement. This is not unusual in insider breach incidents, as an announcement may hamper the law enforcement investigation. Geisinger announced the breach when it got the go-ahead from law enforcement.
The breach underscores the importance of compliance with the termination procedures stated in the administrative safeguards of the HIPAA Security Rule – 45 C.F.R ยง 164.308(a)(3)(ii)(C), which require regulated entities to โimplement procedures for terminatingย accessย toย electronic protected health informationย when the employment of, or other arrangement with, aย workforceย member ends or as required.โ
OCR has previously imposed financial penalties on HIPAA-regulated entities that have not complied with this provision, including Pagosa Springs Medical Center and the City of New Haven.