Geisinger is sending notifications to over one million patients that their protected health information (PHI) was illegally accessed by an ex-worker of Nuance Communications, its business associate.
Nuance Communications offers IT services to Geisinger, which gives access to its systems that contain patient data. On November 29, 2023, Geisinger discovered unauthorized access to patient information by an ex-Nuance worker and promptly informed Nuance concerning the incident. Nuance dismissed the former worker and cut off his system’s access. An investigation of the incident confirmed the access to patient records.
The ex-worker potentially accessed and stole the data of over one million patients of Geisinger. The information differed from one patient to another and possibly included names, telephone numbers, addresses, birth dates, medical record numbers, admission/discharge/transfer codes, abbreviations of facility name, and race and gender details. Nuance has reported that the worker had no access to financial data, claims/insurance data or Social Security numbers.
The Department of Justice can file criminal lawsuits for HIPAA violations based on the Social Security Act when people purposefully violate HIPAA legislation. In case of the termination of a worker of a HIPAA-covered entity or business associate, HIPAA still is applicable. There are severe penalties for accessing and stealing PHI, which may include a big penalty and jail time. The following penalties apply for different tiers of violation:
- Tier 1 violation – up to 1 year in jail
- Tier 2 violation – up to 5 years in jail
- Tier 3 violation, which involves stealing PHI for personal gain or with malicious intention – up to 10 years in jail
Geisinger has reported the unauthorized access to law enforcement. The ex-Nuance worker has been detained and will face federal criminal charges.
Because the risk is high that former employees would commit unauthorized access to patient information, HIPAA-covered entities and business associates need to create and apply guidelines for stopping access to electronic protected health information (ePHI) when employment ends as per the employees security standard of the HIPAA Security Rule – 45 CFR § 164.308 (3)(ii)(C). This occurrence clearly demonstrates why it is important to revoke access right away when employment is terminated. The HHS’ Office for Civil Rights had taken enforcement action on a Security Rule provision violation in 2020 involving the City of New Haven and in 2018 involving Pagosa Springs Medical Center.
The health system Risant Health has mentioned that Nuance Communications is sending breach notifications to the impacted people. Patients are told to check the health plan statements they receive and get in touch with their health insurance provider in case services are listed on their statements that were not provided. Those who need more information concerning the breach can contact a helpline 855-575-8722. Support is available through the helpline from 9 a.m. to 9 p.m., Monday to Friday.