Here’s today’s reminder of the insider threat. We start with a notice from Geisinger about a security incident involving Nuance Communications:
Nuance Communications Inc., an outside vendor that provides information technology services for Geisinger, is notifying Geisinger patients that some personal information may have been accessed by a former Nuance employee.
On Nov. 29, 2023, Geisinger discovered and immediately notified Nuance that a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated. Upon learning this, Nuance permanently disconnected its former employee’s access to Geisinger’s records. An investigation was launched, and law enforcement was engaged. Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now. The former Nuance employee has been arrested and is facing federal charges.
Through its investigation, Nuance determined the former employee may have accessed and taken information pertaining to more than one million Geisinger patients. The information varied by patient but could have included names in combination with one or more of the following: date of birth, address, admit and discharge or transfer code, medical record number, race, gender, phone number and facility name abbreviation. No claims or insurance information, credit card or bank account numbers, other financial information, or Social Security numbers were inappropriately accessed by the company’s former employee.
“Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously,” said Jonathan Friesen, Geisinger chief privacy officer. “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”
Geisinger encourages those who have received a notice to review the information and contact the number below to address any concerns. They may call 855-575-8722, Monday through Friday, between 9 a.m. and 9 p.m., Eastern Time, except for major U.S. holidays, and provide engagement number B124651.
Further, those patients whose information was involved in the incident are encouraged to review the statements they receive from their health plan and contact their health insurer immediately if they see services they did not receive.
U.S.A. v. Vance
The federal case is U.S.A. Vance, case 4:24-cr-00015 in the Middle District of Pennsylvania.
Max Vance, also known as Andre J. Burk, was indicted on January 30, 2024, only two months after Geisinger discovered the breach. He was charged with one count of “Obtaining Information from a Protected Computer” in violation of 18 U.S.C. § 1030(a)(2), the statute used in most hacking or unauthorized access cases of this kind. He was not charged criminally under HIPAA.
Vance was assigned a federal public defender and pleaded not guilty on March 5. The case has not yet gone to trial.
In reading some of the available court documents, DataBreaches noted that Vance had significant indicators of past and intended criminal conduct. The detention order issued by the Southern District of California noted that law enforcement found firearms and ammunition in his home despite a restraining order prohibiting him from owning any firearms. They also found numerous false IDs with his photo and a variety of names, blank ID forms and machines to create IDs, paperwork related to prior crimes and the requirement to appear in court. Vance’s history also revealed arrest warrants for failure to appear in court. Law enforcement also found a thumb drive in his car that contained “information from his former employer after he was fired.” The description does not indicate whether that former employee was Nuance or another former employee.
Given Vance’s history, DataBreaches emailed Nuance to inquire whether Vance had ever passed a criminal background check prior to hiring, whether he had been fired for cause, and whether his access to Geisinger data had been terminated immediately at the time he was told his employment was terminated. No reply was immediately available. This post will be updated if a reply is received.