News: 1719362646

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Microsoft blamed for million-plus patient record theft at US hospital giant

(2024/06/26)


American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen – and claimed a former employee at a Microsoft subsidiary is the likely culprit.

Geisinger on Monday [1]announced the results of a probe into a November computer security breach, placing the blame on [2]Microsoft-owned Nuance Communications for not cutting off one of its employees' access to corporate files after that person was fired.

The Pennsylvania-based healthcare giant uses Nuance as an IT provider. We're told that after the Microsoft-owned entity terminated one of its workers, that staffer two days later may have accessed and taken copies of sensitive records on a huge number of Geisinger patients – for reasons as yet unknown.

[3]

Geisinger – which says it operates 13 hospitals and has more than 600,000 members – said it discovered the improper access on November 29, informed Nuance, and the IT supplier immediately cut off the former employee from the healthcare group's data before involving police.

[4]

[5]

"Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now," Geisinger claimed, explaining why only now this is coming to light. "The former Nuance employee has been arrested and is facing federal charges."

It's not immediately clear if or what charges have been laid – we've asked Geisinger for details.

[6]

Speech recognition firm Nuance performed its own probe, according to Geisinger, and determined that the former employee may have stolen information on a million-plus people. That info would include birth dates, addresses, hospital admission and discharge records, demographic information, and other medical data. The ex-employee didn't swipe insurance or other financial information, the multi-billion-dollar healthcare group stated.

"We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges," Geisinger chief privacy officer Jonathan Friesen alleged, adding: "I am sorry that this happened."

Who skipped the termination checklist again?

While this snafu doesn't seem to be Geisinger's fault, Nuance has previously been accused of similar failings.

According to news sources, in 2018 San Francisco's Department of Public Health experienced a [7]break-in that was made possible by a former Nuance employee accessing patients' personal information.

[8]Google takes shots at Microsoft for shoddy security record with enterprise apps

[9]Microsoft cannot keep its own security in order, so what hope for its add-ons customers?

[10]Microsoft answered Congress' questions on security. Now the White House needs to act

[11]What Microsoft's latest email breach says about this IT security heavyweight

Nuance didn't respond to questions for this story. Given it's been a Microsoft subsidiary for the past three years, this incident is just as likely to reflect poorly on Redmond – especially given the Windows maker has recently been revealed employing lax security practices that led to the compromise of Exchange Online by Chinese spies who used that intrusion to [12]compromise cloud-based email accounts belonging to US officials.

Microsoft has also come in for criticism for [13]Exchange break ins by Russian snoops.

Microsoft's sub-optimal infosec practices have even seen former White House cyber policy director AJ Grotto tell us Microsoft is a [14]national security threat . ®

Get our [15]Tech Resources



[1] https://www.geisinger.org/about-geisinger/news-and-media/news-releases/2024/06/24/18/17/geisinger-provides-notice-of-nuances-data-security-incident

[2] https://www.theregister.com/2021/04/12/microsoft_nuance/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnuSY7ydTSESWco5oZSigwAAAMg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnuSY7ydTSESWco5oZSigwAAAMg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnuSY7ydTSESWco5oZSigwAAAMg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnuSY7ydTSESWco5oZSigwAAAMg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.nbcbayarea.com/news/local/sf-public-health-officials-inform-895-patients-about-data-breach/178406/

[8] https://www.theregister.com/2024/05/20/google_takes_shots_at_microsoft/

[9] https://www.theregister.com/2024/04/24/microsoft_security_addons/

[10] https://www.theregister.com/2024/06/15/microsoft_brad_smith_congress/

[11] https://www.theregister.com/2024/01/24/microsoft_latest_breach_cozy_bear/

[12] https://www.theregister.com/2024/04/03/cisa_microsoft_exchange_online_china_report/

[13] https://www.theregister.com/2024/05/10/microsoft_president_brad_smith_summoned/

[14] https://www.theregister.com/2024/04/21/microsoft_national_security_risk/

[15] https://whitepapers.theregister.com/



Two words, Internet Explorer

mikus

For 25 years, Microsoft pushed the most commonly abused malware engine as Internet Explorer, at its core ActiveX as part of their own dotnet programming languages, ever to be unleashed on the populace, and only then begrudgingly admit to defeat in killing it off having found better adware and tracking in Google's Chrome engine now. Exchange servers are still a constant liability people misuse and abuse, and Active Directory every time remains the common denominator at the heart of most infections due to it's ubiquitous presence in 99% of enterprises today.

If people haven't learned by now to mistrust Microsoft products, they impose their own blissful ignorance.

This is an especially good time for you vacationers who plan to fly, because
the Reagan administration, as part of the same policy under which it
recently sold Yellowstone National Park to Wayne Newton, has "deregulated"
the airline industry. What this means for you, the consumer, is that the
airlines are no longer required to follow any rules whatsoever. They can
show snuff movies. They can charge for oxygen. They can hire pilots right
out of Vending Machine Refill Person School. They can conserve fuel by
ejecting husky passengers over water. They can ram competing planes in
mid-air. These innovations have resulted in tremendous cost savings which
have been passed along to you, the consumer, in the form of flights with
amazingly low fares, such as $29. Of course, certain restrictions do apply,
the main one being that all these flights take you to Newark, and you must
pay thousands of dollars if you want to fly back out.
-- Dave Barry, "Iowa -- Land of Secure Vacations"