Microsoft Blamed For Million-Plus Patient Record Theft At US Hospital Giant

Brandon Vigliarolo reports via The Register: American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen -- and claimed a former employee at a Microsoft subsidiary is the likely culprit. Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft-owned Nuance Communications for not cutting off one of its employees' access to corporate files after that person was fired. The Pennsylvania-based healthcare giant uses Nuance as an IT provider. We're told that after the Microsoft-owned entity terminated one of its workers, that staffer two days later may have accessed and taken copies of sensitive records on a huge number of Geisinger patients -- for reasons as yet unknown.

Geisinger -- which says it operates 13 hospitals and has more than 600,000 members -- said it discovered the improper access on November 29, informed Nuance, and the IT supplier immediately cut off the former employee from the healthcare group's data before involving police. "Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now," Geisinger claimed, explaining why only now this is coming to light. "The former Nuance employee has been arrested and is facing federal charges." It's not immediately clear if or what charges have been laid -- we've asked Geisinger for details.

Speech recognition firm Nuance performed its own probe, according to Geisinger, and determined that the former employee may have stolen information on a million-plus people. That info would include birth dates, addresses, hospital admission and discharge records, demographic information, and other medical data. The ex-employee didn't swipe insurance or other financial information, the multi-billion-dollar healthcare group stated. "We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges," Geisinger chief privacy officer Jonathan Friesen alleged, adding: "I am sorry that this happened."

why is the medical records in the corporate files?

[Joe_Dragon]

why is the medical records in the corporate files?

Re: why is the medical records in the corporate fi

[Slashythenkilly]

ahhh now youre getting it. Nice HIPPA workaround just like Amazon healthcare service.

Re:

[darkpixel2k]

HIPAA ~~ Health Insurance Portability and Accountability Act

Yeah, the 'P' is important. These health records were *very* portable.

Re:

[0xdeaddead]

A to B costs big money but you have this fancy free corporate connection that bills to a different department...

Re:

[drinkypoo]

Because medicine is controlled by corporations.

Re:

[laughingskeptic]

Speech to-text works best when there is access to all the text related to a patient ... in this case their medical records. Was that "NMR Completed" or "MMR Completed"? ... the current orders for the patient provides a big clue.

But perhaps the current situation is better. Before LLMs, the audio along with the patient record was probably sent to India. :/

It should have been immediately turned off!

[Oliver Wendell Jones]

I went to lunch one day and came back to find my swipe-badge wouldn't let me back in the building. I had to call my boss from the lobby phone only to be told to wait there and he would come get me. Turns out that while I was at lunch, the IT dept determined that I had an "unapproved" PC connected to the network that they couldn't remotely administrate and turned off all of my access to everything AND were demanding my immediate termination. I had to remind my boss that the reason I had a server running in my cubicle was because when we let IT run the database server for the RATIONAL software and we paid them a monthly fee to perform daily backups of our data and then the one time we needed them to restore it they said "Oh, yeah, we've been meaning to tell you that for some reason our daily back up always fails on one of the big files on your virtual server, so we don't actually have a backup we can restore..." We then get special permission from the same IT dept (with pressure from the VP of R&D) to run our own independent server and back it up ourselves and never have that problem again - and that is why there is a second PC in my cubicle and they (IT dept) don't need to remotely administrate it because they've proven they can't be trusted. Then it took days to get all of my security settings put back to the way they were...

Re: It should have been immediately turned off!

[Slashythenkilly]

Left hand, do you know where the right hand is? Sure we couldhandle this with a simple phone call but no... Horrible company proceedures. Id be out looking for another position.

Re:It should have been immediately turned off!

[Seven Spirals]

Sheesh, those sound like worse security douchebags than usual, and that's pretty bad. I have a story in the same vein.

I worked for a company once and I had an older Unix on my desk I was just putting a new RTC in for a company we'd just bought. I come in one morning and the system is missing. I thought someone had stolen it. Turns out someone kinda had. It was IT security who was concerned I'd been using a "rogue server" as they put it after hearing I had "something different". The thing wasn't even connected to the network, but he took it off my private bench and didn't leave so much as a note. The guy had to override our door security and get a maintenance guy to let him into the room where I had my desk and a couple of workbenches.

So, the problem for IT security was that I got the head of physical security hired a while back and he and I went way back (worked with him at Oracle and IBM). He found where they'd absconded with the system after futzing with the door security and proceeded to act on it as if it were, in fact, stolen off my desk, since you know, he had the video evidence of this jack move right at his fingertips and I helped him extract the logs of the unauthorized entry in his little door-badge system. The IT security jacker who found himself being written up by my SVP buddy and then fired a few days later for violating multiple company policies (didn't help he got pissy & loud with the SVP's physical security staff). The system was heavy and when the told me I could come get it I said "No, I'm not coming to get it. You can bring it back and put it back where you found it, unless you just like having stolen property around" So, I made the IT Security manager haul it over, because the original guy who took it was busy getting a pink slip. The IT security group lost all access to the physical door badge reader system, too.

Re: It should have been immediately turned off!

[Z00L00K]

Seems like the company I work for.

The only way around such things is to set up a completely separate isolated net with written permission from your boss.

Re:It should have been immediately turned off!

[sjames]

Or you need to make some effort to understand the nuances. Cutting off all access on a hair trigger BEFORE termination is bad. Failing to cut off all access during or very shortly after termination (while the ink is drying on the orders for example) is bad.

As a note to anyone who finds themselves terminated, demand in writing that all of your access be revoked immediately including changing any passwords you know.

Otherwise, you become the natural fall-guy for anything and everything that goes wrong afterward. There's a good chance your employer will fail to honor your demand, but you'll have it in writing that you demanded it, so their failure will blow up their attempt to use you as a scapegoat.

define stolen and may have accessed??

[Joe_Dragon]

may have accessed??

so it's stolen to still have access to something that was part of your job? and it's like you had access to X and it's up to who controls X to remove it?

What it was some automated system that accessed the files?

They need to fight this and demand all logs and if they can't not give all logs then you must acquit!

Re:

[quonset]

I'm presuming you're intentionally being a dumbass. The person was let go. At that point they are no longer an employee and have no right to anything at their former employer. Anything that former employee takes is now considered stolen.

Re:

[HiThere]

He's guessing that there was some automated script that the guy had running as part of his job, and just wasn't deactivated or assigned to a different user when he was fired. It looks like one valid way to read the summary, though certainly not the only one.

Was it actually the ex employee?

[Joe_Dragon]

It could of been some kind of back up user data task that is run after the user is locked out but before the user is fully removed.
and what if the use had that data in there account before they where removed from the job.

Re:

[bill_mcgonigle]

There is certainly reasonable doubt that an APT could have watched for a firing and then exploited that knowledge to misattribute data theft.

Or they found the archive in the guy's apartment; who knows?

Perfect Example

[NicknameUnavailable]

Of why not to use Microsoft products for anything. There's too much call-home, telemetry, and spyware shit baked in. Under no circumstance should a platform vendor used for medical data be capable of accessing that data, it's possible to design systems wherein the devs can't access the production data which work just fine, not with anything Microsoft makes though.

Re:

[mcfatboy93]

not to use Microsoft products for anything. There's too much call-home, telemetry, and spyware shit baked in.

Once Recall takes off, I expect stuff like this to be a lot more common. All someone would need to do is gain access, turn on the Recall feature or any other AI training who-hash and come back in a week (assuming multiple other factors fail like IT security did here). When the OS does all the things that bad guys would need a payload to do, I think the OS makers need to rethink their priorities.

Hey

[The Cat]

How are those layoffs working out for you?

OK, several issues

[jd]

1. This is a clear attempt to undermine the law.
2. Irrespective of this, least privilege doctrine should make content unavailable to those who don't have a need to know.
3. Irrespective of this, allowing access to dismissed employees is asking for trouble.
4. Irrespective of this, a properly configured system cannot transmit data to unauthorised machines.

I'd close both the healthcare provider and subsidiary for gross stupidity unbecoming of a non-politician.

Re:

[HiThere]

I think you're taking the summary too literally. Often it contains serious overgeneralizations, and lot of omitted relevant details. And this is a report of what a PR guy said, and if you believe the report is accurate, you should trust it as much as you normally trust PR claims. (Unless this is a lawyer speaking, in which case substitute lawyer for PR.)

Re:

[Joe_Dragon]

in some places it can take more then 2 days to fully remove an old user and fully remove all authorized machines.

Also what some of the authorized machines still need the data?

Re:

[jd]

We've had SELinux for some time now. You can give an application privileges independently of the user. As such, said application could be configured to perform tasks X, Y, and Z except when that user is using them.

Having worked at Nuance im not surprised

[0xdeaddead]

Their HR & legal are a joke. The lawyers CC'd the details of the overall organisational layoff.

Deja vu: firing procedure

[iAmWaySmarterThanYou]

I said this last time: firing should follow a very basic and consistent procedure:

1) get person in real/virtual room to inform them of termination
2) IT is lined up before call to cut all access
3) IT cuts access at end of call
4) HR confirms IT cut access at end of call

How fucking hard is this?

Yes yes some countries have laws about paying people off and keeping them in payroll blah blah blah, so keep them on payroll with no access or cut them a check for their remainder time.

This is basic stuff that every com

Re:

[Joe_Dragon]

does the main IT even have full control over each system? They may able to cut main AD off right away but other systems may have sync delays or need an differnt team / admin to remove users from system X, Y, Z.

Re:

[iAmWaySmarterThanYou]

If they don't then why not? Why isn't there a single vpn end point and/or AD or similar system that can be used to lock out an external entry?

There may be some obscure internal systems that take longer but why can an outsider reach the inside network?

This is really basic stuff. Seriously. I don't understand how this can even be a discussion or a thing that happens at so many places other than sheer incompetence.

In some of these cases some ex employee logged in doing damage months after termination. Wild

Re:

[Joe_Dragon]

months is one thing but 2 days?

Re:

[iAmWaySmarterThanYou]

A *LOT* of damage can be done in two days.

I've worked startups, mid sized, large, fortune 100, government, and education jobs. I've never been at a place that didn't cut off my access by EOD, at worst, on my last day no matter the reason for my departure.

In the case of friendly departures I was there until eod, shook hands with folks and made sure they got the full list of access I had cut off. In case of termination for layoff, firing, anything non voluntary, they typically had my access cut on the way t

So that's what Microsoft was doing with Nuance

[protehnica]

When Microsoft acquired Nuance, the company that developed Swype (the best keyboard app that ever existed), I hoped they'd immediately jump on the opportunity to ditch their failed keyboard product (SwiftKey) and simply release Swype under their own brand.

What Swype offered for non-English speakers was language-specific keyboard layouts, which neither Google nor Microsoft can be bothered to support. If anyone from Microsoft is reading this in the aftermath of the current PR disaster, try to get Swype open s

Re:

[serviscope_minor]

When Microsoft acquired Nuance, the company that developed Swype (the best keyboard app that ever existed) :(

I still have my paid for copy of swype. It's getting janky these days. I suppose some of the assumptions about Android it was built with have broken in the last decade since it was withdrawn.

Even with those quite bad bugs it's still very substantially better than the shitty alternatives (looking at you, gboard). Why didn't they bother to rip off all the good features, instead of making a shitty half

Re:

[protehnica]

Swype is one of the main reasons why I'm not upgrading my phone until it's dead. I have a Samsung Galaxy S8 that still works, and Swype is configured with languages that are no longer available for download on new installations, because they've since shut down the servers.

The gestures are amazing. "Ctrl+A", "Ctrl+C", "Ctrl+X", "Ctrl+V" (with the Swype key instead of Ctrl) all worked as intuitively expected.

Re:

[serviscope_minor]

Do you have a paid copy? If so you can still download it from the app store. I recently replaced my S8+

Re:

[protehnica]

Yes, installing the application wouldn't be a problem (I can also export the APK), but I can no longer download additional languages.

Blame

[jmccue]

Sure lets blame everyone but yourself. If this company hired real cyber security people and paid attention to them, they would not be here. But easy and cheap always wins.

Granted a Windows ecosystem is much harder to secure and securing it costs more, but it is doable with some pain. Again, I guess this company is looking at a slap on the wrist, then a week or two later the justice system will kiss it to make it better.