Ex-employee of IT vendor may have accessed personal info of 1M-plus Geisinger patients

DANVILLE — Some personal information of more than 1 million Geisinger patients may have been accessed by a former employee of Nuance Communications Inc., an outside vendor that provides information technology services for Geisinger.

Geisinger said on Monday that Nuance was notifying Geisinger patients that some of their personal information may have been accessed by the former employee.

"The information varied by patient but could have included names in combination with one or more of the following: date of birth, address, admit and discharge or transfer code, medical record number, race, gender, phone number and facility name abbreviation," Geisinger said in a prepared release. "No claims or insurance information, credit card or bank account numbers, other financial information, or Social Security numbers were inappropriately accessed by the company's former employee."

Geisinger said it discovered and immediately notified Nuance on Nov. 29 that a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated.

"Upon learning this, Nuance permanently disconnected its former employee's access to Geisinger's records," Geisinger stated. "An investigation was launched, and law enforcement was engaged. Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now. The former Nuance employee has been arrested and is facing federal charges."

Federal prosecutors allege Max Vance, also known as Andre J. Burk, intentionally accessed a computer without authorization and exceeded authorized access to a computer and thereby obtained information from a protected computer, and the value of the information exceeded $5,000, according to the indictment filed on Jan. 30.

Chief U.S. District Judget Matthew W. Brann set jury selection for Aug. 5 in U.S. Middle District Court in Williamsport.

Jonathan Friesen, Geisinger's chief privacy officer, stated, "Our patients' and members' privacy is a top priority, and we take protecting it very seriously. We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened."

Geisinger encourages those who have received a notice to review the information and call 855-575-8722 to address any concerns. They may call Monday through Friday, between 9 a.m. and 9 p.m., Eastern Time, except for major U.S. holidays, and provide engagement number B124652.

Further, those patients whose information was involved in the incident are encouraged to review the statements they receive from their health plan and contact their health insurer immediately if they see services they did not receive.