Personal data of more than a million patients was stolen from an American hospital chain. It turned out that the perpetrator was a former employee of the IT provider Nuance.

Geisinger, a major player in the American healthcare industry, posted a statement on its website on June 24 regarding the cyber incident, saying that the personal data of more than one million patients was collected by an external actor in November.

This includes names, addresses, telephone numbers, but also medical data and data about the patient’s hospital stay. Data on insurance or financial information remains inaccessible.

The hospital chain is pointing the accusing finger at its IT service provider Nuance Communications. Nuance offers intelligent speech solutions for medical staff. A former employee of the company is said to have been the perpetrator of the hack and has now also been arrested.

Butter on the head

Nuance itself also has a lot of catching up to do. The contract with the perpetrator had been terminated a few days before the break-in, but the account and login data had not yet been deleted. The company concluded after an internal investigation that the former employee had managed to gain access to sensitive data.

This isn’t the first time something like this has happened to Nuance either. In 2018, the company was involved in a data breach at the San Francisco Department of Health, which also involved a former company employee. Years later, Nuance still seems casual about the potential Insider threats.

The incident is also not good publicity for Microsoft, which acquired Nuance three years ago for billions of dollars. Microsoft itself has come under criticism for its handling of recent security incidents. Even if Microsoft does not play a direct role in this, parents are always held accountable for what their children do.