Geisinger reports data of 1.2 million patients may have been exposed
A class-action lawsuit has reportedly been filed against the Pennsylvania health system for the data breach.
Photo: Courtesy of Geisinger
A data breach at Geisinger may have exposed the personal data of 1.2 million patients, according to the Department of Human Services Office for Civil Rights Breach Portal.
On June 24, the Pennsylvania health system provided notice that a former employee of vendor Nuance Communications had accessed certain patient information two days after the employee had been terminated.
Geisinger said it discovered the breach in November 2023 and immediately notified Nuance, a Microsoft-owned business that provides information technology services. Nuance then permanently disconnected its former employee's access to Geisinger's records.
An investigation was launched, and law enforcement was engaged. The former Nuance employee, who has not been named, has reportedly been arrested and is facing federal charges.
WHY THIS MATTERS
Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident.
A man in Centre County, Pennsylvania, filed a class-action lawsuit against Geisinger on Friday, June 28, four days after the health system disclosed the breach. James Wierbowski's attorneys alleged Geisinger and its third-party information technology vendor Nuance Communications failed to reasonably safeguard patients' personal data, including their names, dates of birth, address, race, gender, phone numbers and more, according to the Centre Daily Times.
Geisinger has said the employee may have accessed protected information, including dates of birth, addresses, admit and discharge or transfer codes, medical record numbers, race and gender information, phone numbers and facility name abbreviations.
Nuance is mailing notifications to the affected individuals.
Geisinger is encouraging affected patients to review health plan statements and contact their insurer immediately if they see services they did not receive.
THE LARGER TREND
Geisinger, which is now part of Risant Health, is the latest healthcare organization to suffer a breach.
In February, Change Healthcare, which is part of Optum, was hit by a cyberattack that shut down claims processing and impacted the finances of hospitals and physician practices.
UnitedHealth Group, the parent company of Optum, continues to give status updates on system restoration, saying on Friday that an updated Claims Payer List for legacy Emdeon customers now on iEDI and an updated ERA Payer List for Emdeon/Change Healthcare customers are now available.
In May, UnitedHealth CEO Andrew Witty told a House Committee that he made the decision to pay $22 million in ransomware by bitcoin to protect patient information.
Email the writer: SMorse@himss.org