DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

If the insider threat is at your vendor, could you discover it quickly?

Posted on June 25, 2024March 1, 2025 by Dissent

Here’s today’s reminder of the insider threat. We start with a notice from Geisinger about a security incident involving Nuance Communications:

 Nuance Communications Inc., an outside vendor that provides information technology services for Geisinger, is notifying Geisinger patients that some personal information may have been accessed by a former Nuance employee.

On Nov. 29, 2023, Geisinger discovered and immediately notified Nuance that a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated. Upon learning this, Nuance permanently disconnected its former employee’s access to Geisinger’s records. An investigation was launched, and law enforcement was engaged. Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now. The former Nuance employee has been arrested and is facing federal charges.

Through its investigation, Nuance determined the former employee may have accessed and taken information pertaining to more than one million Geisinger patients. The information varied by patient but could have included names in combination with one or more of the following: date of birth, address, admit and discharge or transfer code, medical record number, race, gender, phone number and facility name abbreviation. No claims or insurance information, credit card or bank account numbers, other financial information, or Social Security numbers were inappropriately accessed by the company’s former employee.

“Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously,” said Jonathan Friesen, Geisinger chief privacy officer. “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”

Geisinger encourages those who have received a notice to review the information and contact the number below to address any concerns. They may call 855-575-8722, Monday through Friday, between 9 a.m. and 9 p.m., Eastern Time, except for major U.S. holidays, and provide engagement number B124651.

Further, those patients whose information was involved in the incident are encouraged to review the statements they receive from their health plan and contact their health insurer immediately if they see services they did not receive.

U.S.A. v. Vance

The federal case is U.S.A. Vance, case 4:24-cr-00015 in the Middle District of Pennsylvania.

Max Vance, also known as Andre J. Burk, was indicted on January 30, 2024, only two months after Geisinger discovered the breach. He was charged with one count of “Obtaining Information from a Protected Computer” in violation of 18 U.S.C. § 1030(a)(2), the statute used in most hacking or unauthorized access cases of this kind. He was not charged criminally under HIPAA.

Vance was assigned a federal public defender and pleaded not guilty on March 5. The case has not yet gone to trial.

From detention order filing. Image: DataBreaches.net.

In reading some of the available court documents, DataBreaches noted that Vance had significant indicators of past and intended criminal conduct. The detention order issued by the Southern District of California noted that law enforcement found firearms and ammunition in his home despite a restraining order prohibiting him from owning any firearms. They also found numerous false IDs with his photo and a variety of names, blank ID forms and machines to create IDs, paperwork related to prior crimes and the requirement to appear in court. Vance’s history also revealed arrest warrants for failure to appear in court. Law enforcement also found a thumb drive in his car that contained “information from his former employer after he was fired.” The description does not indicate whether that former employer was Nuance or another former employer.

Given Vance’s history, DataBreaches emailed Nuance to inquire whether Vance had ever passed a criminal background check prior to hiring, whether he had been fired for cause, and whether his access to Geisinger data had been terminated immediately at the time he was told his employment was terminated. No reply was immediately available. This post will be updated if a reply is received.

Related posts:

  • URLs Are NOT Passwords, and Sadly, That Needed to Be Said (Stolowitz vs. Nuance Communications)
  • PA: Geisinger Berwick notifying hundreds of patients after firing employee for improper access to records
  • PA: Ex-Geisinger employee accessed hundreds of patients’ info improperly
  • Shooting the Whistleblower? Defamation Suit Claims Nuance Communications Gave False Info to FBI, SEC, Retaliated Against Whistleblower
Category: Health DataOf NoteSubcontractor

Post navigation

← SEC Charges R.R. Donnelley for Ransomware Attack Response
Social Engineering Tactics Targeting Healthcare & Public Health Entities and Providers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.