Geisinger health system patient data compromised by IT vendor breach

Geisinger health system reports that their IT service provider Nuance Communications caused a data breach exposing personal information of patients. Nuance Communications is owned by Microsoft.

Geisinger is a comprehensive health system that provides a wide range of medical services across central, south-central, and northeastern Pennsylvania. On November 29, Geisinger became aware that a recently terminated employee of Nuance had accessed patient information and notified the vendor. Nuance revoked the individual's access and initiated an investigation into the incident.

The investigation by Nuance revealed that the former employee might have accessed and potentially exfiltrated data related to more than one million Geisinger patients. The types of compromised data vary by individual and include:

• Dates of birth
• Addresses
• Admit, discharge, or transfer codes
• Medical record numbers
• Race
• Gender
• Phone numbers
• Facility name abbreviations

The number of affected individuals is not disclosed.

Geisinger claims the breach did not involve claims, insurance information, credit card numbers, bank account numbers, other financial information, or Social Security numbers.

Update - Geisinger reports that Nuance determined the former employee may have accessed and stolen information of over one million Geisinger patients.