Data leak
β Supply Chain
Geisinger Health - Nuance Communications Insider Breach
Primary Source βIncident Details
Geisinger Health (major Pennsylvania health system) discovered on 29 November 2023 that former Nuance employee Andre Burk (age 46, California) had accessed patient records from 27 November 2023, two days after termination. Law enforcement requested a 7-month notification delay until June 2024 to avoid impeding investigation. 1,276,026 patients’ data was exposed including names, DOBs, addresses, medical record numbers, race, gender, and phone numbers. No SSNs or financial data accessed. Burk pleaded guilty February 2025. Settled for $5 million.
Technical Details
- Initial Attack Vector
- Insider threat: a former Nuance Communications IT employee (Andre J. Burk / 'Max Vance') accessed Geisinger patient records two days after being terminated from Nuance, using credentials that had not yet been deprovisioned
- Vendor / Product
- Nuance Communications (Microsoft subsidiary)
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2023-11-27 Breach occurred
- 2024-06-24 Publicly disclosed
- 2024-06-24 Customers notified