A Centre County man filed a class-action lawsuit Friday against Geisinger, four days after the health care system publicly disclosed a data security breach that may have affected more than one million patients.
James Wierbowski’s attorneys alleged Geisinger and its third-party information technology vendor Nuance Communications failed to reasonably safeguard patients’ personal data, including their names, dates of birth, address, race, gender, phone numbers and more.
Nuance is owned by tech giant Microsoft.
Theft of the vital data can have “grave and lasting consequences for victims,” Wierbowski’s attorneys wrote. A message left Monday with Geisinger was not immediately returned.
How did this happen?
Geisinger placed blame squarely on its IT vendor. In announcing the breach, the health system wrote it was providing notice of “Nuance’s data security incident.”
Geisinger said it discovered in November that a former Nuance employee accessed patient information two days after they were terminated. Nuance permanently disconnected the former worker’s access to patient records after it was notified, Geisinger wrote.
The company’s investigation found the worker may have also accessed admission, discharge or transfer codes, medical record numbers and location information.
No claims or insurance information, credit card or bank account numbers, other financial information, or Social Security numbers were inappropriately accessed by the former employee, Geisinger wrote.
Why am I just now finding out about this?
An investigation was launched once the breach was discovered. Investigators asked Nuance to delay notifying patients until last week so it did not impede the probe.
The former worker — Max Vance, aka Andre J. Burk — was indicted in January and is being prosecuted by the Justice Department. He pleaded not guilty. His trial is scheduled to begin Nov. 4 at the federal courthouse in Lycoming County.
“Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously,” Geisinger’s Chief Privacy Officer Jonathan Friesen said in a statement. “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.”
How do I know if my data was affected?
There’s a more than 80% chance your data may have been accessed. The investigation found Vance, of southern California, may have taken information from more than one million Geisinger patients. The health system said it serves about 1.2 million people in Pennsylvania.
Patients received a copy of the notice in the mail last week. They may call 855-575-8722 between 9 a.m. and 9 p.m. weekdays, except major U.S. holidays, for assistance. Geisinger encouraged patients to provide engagement number B124652.
Geisinger also encouraged patients whose information may have been disclosed to review statements they receive from their health plan and contact their insurer if they see services they did not receive.
Wierbowski’s attorneys alleged Nuance failed to revoke Vance’s access to patient information after he was terminated. It lists six counts, including negligence, breach of fiduciary duty and implied contract.
It asked a federal judge to allow the suit to move forward as a class action, one that seeks “appropriate monetary relief.”
Most Popular
Comments / 0