Microsoft blamed for million-plus patient record theft at US hospital giant

Updated American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen – and claimed a former employee at a Microsoft subsidiary is the likely culprit.

Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft-owned Nuance Communications for not cutting off one of its employees' access to corporate files after that person was fired.

The Pennsylvania-based healthcare giant uses Nuance as an IT provider. We're told that after the Microsoft-owned entity terminated one of its workers, that staffer two days later may have accessed and taken copies of sensitive records on a huge number of Geisinger patients – for reasons as yet unknown.

Geisinger – which says it operates 13 hospitals and has more than 600,000 members – said it discovered the improper access on November 29, informed Nuance, and the IT supplier immediately cut off the former employee from the healthcare group's data before involving police.

"Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now," Geisinger claimed, explaining why only now this is coming to light. "The former Nuance employee has been arrested and is facing federal charges."

It's not immediately clear if or what charges have been laid – we've asked Geisinger for details.

Speech recognition firm Nuance performed its own probe, according to Geisinger, and determined that the former employee may have stolen information on a million-plus people. That info would include birth dates, addresses, hospital admission and discharge records, demographic information, and other medical data. The ex-employee didn't swipe insurance or other financial information, the multi-billion-dollar healthcare group stated.

"We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges," Geisinger chief privacy officer Jonathan Friesen alleged, adding: "I am sorry that this happened."

Who skipped the termination checklist, perhaps?

While this snafu may not be Geisinger's fault, Nuance has previously been accused of similar failings.

According to news sources, in 2018 San Francisco's Department of Public Health experienced a break-in that was made possible by a former Nuance employee accessing patients' personal information.

• Google takes shots at Microsoft for shoddy security record with enterprise apps
• Microsoft cannot keep its own security in order, so what hope for its add-ons customers?
• Microsoft answered Congress' questions on security. Now the White House needs to act
• What Microsoft's latest email breach says about this IT security heavyweight

Nuance didn't respond to questions for this story. Given it's been a Microsoft subsidiary for the past three years, this incident is just as likely to reflect poorly on Redmond – especially given the Windows maker has recently been revealed employing lax security practices that led to the compromise of Exchange Online by Chinese spies who used that intrusion to compromise cloud-based email accounts belonging to US officials.

Microsoft has also come in for criticism for Exchange break ins by Russian snoops.

Microsoft's sub-optimal infosec practices have even seen former White House cyber policy director AJ Grotto tell us Microsoft is a national security threat. ®

Updated at 11.58 UTC on June 26, 20204, to add

A spokesperson at Microsoft sent us the following statement: "We are cooperating with law enforcement and doing what is necessary to support our customer."