Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Nuance Ex-Employee Indicted for Breach Affecting 1 Million

DOJ Says Vendor's Terminated Worker Unlawfully Accessed Geisinger Patient Info
Nuance Ex-Employee Indicted for Breach Affecting 1 Million
Image: Nuance, Geisinger

An ex-employee of Microsoft's Nuance Communications unit is at the center of a 2023 data breach that affected more than 1 million patients of Pennsylvania-based healthcare system Geisinger. The Department of Justice has charged the former Nuance worker with an alleged federal computer crime in the incident.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

Nuance, which provides IT services to Geisinger, is notifying more than 1 million of the healthcare firm's patients that a former Nuance worker may have accessed their personal information, including name, birthdate, address, admit and discharge or transfer code, medical record number, race, gender, phone number and facility name abbreviation, Geisinger said in a statement Tuesday.

Geisinger said the breach did not affect claims or insurance information, credit card or bank account numbers, other financial information or Social Security numbers.

Geisinger said that on Nov. 29, 2023 it discovered and immediately notified Nuance that a former Nuance employee had accessed Geisinger patient information two days after the worker had been terminated. "Upon learning this, Nuance permanently disconnected its former employee's access to Geisinger's records," the healthcare entity said.

Law enforcement advised Nuance and Geisinger to delay notification of the incident while it investigated the matter, Geisinger said.

On Jan. 30, the U.S. Department of Justice indicted the former Nuance employee, Max Vance - also known as Andre Burk - in connection with the incident and charged him with one count of "obtaining information from a protected computer," which is a federal crime under the Computer Fraud and Abuse Act.

The complaint against Vance is under court seal, but the Justice Department's

indictment seeks to force Vance to give the government "a personal external drive (USB drive), Samsung model PSSD T7" related to the case.

Vance's trial is slated to begin Aug. 5, according to court records.

An attorney representing Vance declined Information Security Media Group's request for comment on the allegations. The Department of Justice also declined ISMG's requests for comment and additional details about the case against Vance, including whether any co-conspirators were allegedly involved or if any additional charges are planned.

"We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened," said Jonathan Friesen, Geisinger chief privacy officer, in the organization's statement.

Geisinger did not immediately respond to ISMG's requests for additional details about the breach.

In a statement, a spokesperson for Microsoft - Nuance's parent company - told ISMG: "We are cooperating with law enforcement and doing what is necessary to support our customer." The company did not immediately respond to ISMG's request for additional details.

Common Challenges

Some experts said the Geisinger incident involving the former Nuance worker is an example of the challenges in severing company access when an employee leaves their job, which can also be compounded by vendor risk.

"The proliferation of external accounts, especially software-as-a-service applications that employees use every day, creates a situation where offboarding of separating employees may require removing access to dozens of SaaS applications, many with sensitive data," said Fred Langston, chief product officer at security firm Critical Insight.

"Add to that companies whose employees log into accounts on client's systems and networks, and you have potentially dozens of external accounts whose credentials need to be changed and/or the access permanently removed," he said.

Making matters worse is shadow IT/shadow SaaS applications used by staff that the IT department may not even know are being used. "This becomes a critical process to manage to mitigate these types of risks, he said.

"Insider threats come with drastically varying degrees of sophistication, intent and damage inflicted," said Max Henderson, assistant vice president of digital forensics and incident response at security firm Pondurance.

"Organizations with a robust single sign-on implementation can eradicate access upon employee departure with one fell swoop," he said. But a common nightmare scenario involves long-term disgruntled employees who depart with knowledge of login accounts that bypass SSO and can be used for re-entry, he said.

"Routine account reviews should be conducted for remote access and SaaS applications that seek out local or dormant accounts, Henderson said. "Any termination of an employee who was present or involved in the provisioning of a new remote access application or SaaS application should result in a review of local or bypass accounts associated with that application."

To prevent insider breaches involving vendors' employees, an organization's third-party risk management program should require that access to sensitive data is monitored, Langston said.

"Regular auditing of access, using tools built for this purpose, is a requirement of HIPAA as well as many other regulations and standards," he said.

Nonetheless, that kind of auditing is commonly not performed "due to the need for extensive use of company human resources as only internal employees can conduct this sort of monitoring," according to HR's understanding of who should have access to specific data, he said.

"This implies that the access auditing requirements need to be passed down via business associate agreements in healthcare to the third parties that store, transmit or process your sensitive data."

Henderson said organizations should consult with internal departments about any SaaS applications used on a daily basis and consider their compatibility with SSO.

"A principle of least privilege should apply to all sensitive data stored in an organization, where only employees who need access are granted it," he said.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.