Danville-based Geisinger health system this week disclosed a data breach that could affect more than a million of its patients.
In its disclosure, Geisinger said it learned on Nov. 29 that a vendor’s former employee had accessed patient information two days after being fired.
The vendor, Microsoft subsidiary Nuance Communications, cut off the ex-employee’s access to Geisinger records, notified law enforcement and launched an investigation, Geisinger said.
But law enforcement officials asked Nuance to delay telling patients, as it could have impeded the investigation, Geisinger said, noting that the former employee has been arrested and is facing federal charges.
The former employee, who was not named, took information on Geisinger patients that could have included names in combination with additional pieces of information, including birth dates, addresses, phone numbers and medical record numbers, among others.
The breached data did not include claims or insurance information, credit card or bank account numbers, Social Security numbers, or other financial information, Geisinger said.
“Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously,” Geisinger chief privacy officer Jonathan Friesen said in a statement. “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”
A Nuance spokesperson did not respond to questions by press time.
Class-action attorneys are soliciting alleged victims of the breach, signaling the likelihood of lawsuits to follow.
The background: Geisinger, which recently became a subsidiary of Risant Health, operates 10 hospitals, numerous clinics and medical offices, and a health plan.
The health system employs 26,000 people and has about $10 billion in annual revenue.
