Security

CSO

Microsoft blamed for million-plus patient record theft at US hospital giant

Probe: Worker at speech-recog outfit Nuance wasn't locked out after firing


Updated American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen – and claimed a former employee at a Microsoft subsidiary is the likely culprit.

Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft-owned Nuance Communications for not cutting off one of its employees' access to corporate files after that person was fired.

The Pennsylvania-based healthcare giant uses Nuance as an IT provider. We're told that after the Microsoft-owned entity terminated one of its workers, that staffer two days later may have accessed and taken copies of sensitive records on a huge number of Geisinger patients – for reasons as yet unknown.

Geisinger – which says it operates 13 hospitals and has more than 600,000 members – said it discovered the improper access on November 29, informed Nuance, and the IT supplier immediately cut off the former employee from the healthcare group's data before involving police.

"Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now," Geisinger claimed, explaining why only now this is coming to light. "The former Nuance employee has been arrested and is facing federal charges."

It's not immediately clear if or what charges have been laid – we've asked Geisinger for details.

Speech recognition firm Nuance performed its own probe, according to Geisinger, and determined that the former employee may have stolen information on a million-plus people. That info would include birth dates, addresses, hospital admission and discharge records, demographic information, and other medical data. The ex-employee didn't swipe insurance or other financial information, the multi-billion-dollar healthcare group stated.

"We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges," Geisinger chief privacy officer Jonathan Friesen alleged, adding: "I am sorry that this happened."

Who skipped the termination checklist, perhaps?

While this snafu may not be Geisinger's fault, Nuance has previously been accused of similar failings.

According to news sources, in 2018 San Francisco's Department of Public Health experienced a break-in that was made possible by a former Nuance employee accessing patients' personal information.

Nuance didn't respond to questions for this story. Given it's been a Microsoft subsidiary for the past three years, this incident is just as likely to reflect poorly on Redmond – especially given the Windows maker has recently been revealed employing lax security practices that led to the compromise of Exchange Online by Chinese spies who used that intrusion to compromise cloud-based email accounts belonging to US officials.

Microsoft has also come in for criticism for Exchange break ins by Russian snoops.

Microsoft's sub-optimal infosec practices have even seen former White House cyber policy director AJ Grotto tell us Microsoft is a national security threat. ®

Updated at 11.58 UTC on June 26, 20204, to add

A spokesperson at Microsoft sent us the following statement: "We are cooperating with law enforcement and doing what is necessary to support our customer."

Send us news
20 Comments

How Windows got to version 3 – an illustrated history

With added manga and snark. What's not to like?

Microsoft tests 45% M365 price hikes in Asia-Pacific to see how much you enjoy AI

Won’t say if other nations will be hit, but will ‘listen, learn, and improve’ as buyers react – so far with anger

Europe coughs up €400 to punter after breaking its own GDPR data protection rules

PLUS: Data broker leak reveals extent of info trading; Hot new ransomware gang might be all AI, no bark; and more

Where does Microsoft's NPU obsession leave Nvidia's AI PC ambitions?

While Microsoft pushes AI PC experiences, Nvidia is busy wooing developers

Datacus extractus: Harry Potter publisher breached without resorting to magic

PLUS: Allstate sued for allegedly tracking drivers; Dutch DDoS; More fake jobs from Pyongyang; and more

Infoseccer: Private security biz let guard down, exposed 120K+ files

Assist Security’s client list includes fashion icons, critical infrastructure orgs

Microsoft sues 'foreign-based' cyber-crooks, seizes sites used to abuse AI

Scumbags stole API keys, then started a hacking-as-a-service biz, it is claimed

Microsoft fixes under-attack privilege-escalation holes in Hyper-V

Plus: Excel hell, angst for Adobe fans, and life's too Snort for Cisco

Turbulence at UN aviation agency as probe into potential data theft begins

Crime forum-dweller claims to have leaked 42,000 documents packed with personal info

Microsoft trims jobs as new year begins

Redmond claims tiny cuts are performance based

Microsoft preps for a year of enterprise-impacting M365 retirements

Hey administrators – buckle up. 2025 is going to be a wild ride

Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

FSB cyberspies venture into a new app for espionage, Microsoft says