Geisinger Faces Class Action Lawsuit Following Major Data Breach

Pennsylvania-based healthcare provider Geisinger is embroiled in a class action lawsuit following a significant data breach that exposed the personal information of over 1.2 million individuals. The breach, which occurred in November 2023, has raised serious concerns about data security in the healthcare sector.

The breach was discovered by Geisinger in late November. According to the company, a former employee of Nuance, a Microsoft-owned entity, accessed sensitive patient information two days after their termination. In an incident notice, Geisinger stated, “a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated.” The unauthorized access was immediately terminated once identified.

The compromised information includes names, addresses, dates of birth, phone numbers, race, gender, admit and discharge or transfer codes, and medical record numbers. Geisinger assured that more sensitive data such as claims, insurance information, credit card or bank account numbers, financial details, or Social Security numbers were not accessed.

Nuance is currently in the process of notifying the potentially affected individuals. The former employee, identified as Max Vance, also known as Andre J. Burke, has been arrested and indicted in connection with the incident.

Geisinger explained that the notification to impacted individuals was delayed at the behest of law enforcement agencies investigating the breach. In June, Geisinger reported to the U.S. Department of Health and Human Services that 1,276,026 individuals were affected.

The legal repercussions of the breach are unfolding swiftly. Last week, a federal class action lawsuit was filed against Geisinger in the U.S. Middle District Court of Pennsylvania. The plaintiff, James Wierbowski, accuses Geisinger of failing to adequately protect patients’ personal and health information and is seeking damages exceeding $5 million.

This incident has occurred amid significant organizational changes for Geisinger. Recently, Kaiser Permanente’s non-profit charitable organization, Risant Health, acquired Geisinger. The healthcare provider operates 134 care sites across Pennsylvania, including 10 hospital campuses, and employs over 26,000 people.

Industry experts are weighing in on the incident, highlighting the critical need for improved data security measures. Chad McDonald, CISO and COO of Radiant Logic, emphasized the risks posed by insider threats. “Insider threats can quickly take hold of organizations if identity data and access rights are not properly managed and monitored. As seen with the Nuance breach, all it took was two days of an ex-employee’s access rights not being changed for the company and individual consumers to face extreme consequences. By utilizing modern day solutions to automate user access reviews and management, organizations can handle these situations urgently and with the precision needed to avoid dire situations,” McDonald said.

The case underscores the necessity for healthcare organizations to implement robust data protection strategies, particularly in the face of evolving cyber threats. As legal proceedings continue, it is expected that other healthcare providers will reassess their security protocols to mitigate the risk of similar breaches in the future.