Friday, July 19, 2024
Home » News » Local News » Centre County Man Sues Geisinger, Microsoft-Owned Company over Data Breach

Centre County Man Sues Geisinger, Microsoft-Owned Company over Data Breach

A Centre County man has filed a federal lawsuit against Geisinger Health and a Microsoft-owned information technology provider for a data security beach that may have affected more than 1 million patients.

James Wierbowski claims in the lawsuit entered Monday in the U.S. Middle District Court of Pennsylvania that the Montour County-based health system and third-party vendor Nuance Communications Inc. failed to maintain adequate security measures to safeguard personally identifiable and personal health information. That included “names, dates of birth, address, admit and discharge or transfer codes, medical record numbers, race, gender, phone numbers and care location information,” according to the lawsuit.

Wierbowski is seeking to have the lawsuit certified as a class action on behalf of all “similarly situated persons” and damages in excess of $5 million. He says the breach occurred despite multiple assurances by Geisinger and Nuance that they implement measures to secure patient information.

Geisinger notified patients on June 24 that it had discovered in November a former Nuance employee accessed patient information two days after his termination. Nuance revoked the access and a criminal investigation began immediately, but law enforcement asked Nuance not to disclose the breach immediately because it could have impeded the investigation.

The former employee, Max Vance, also known as Andre J. Burke, was indicted in January on a federal computer crime charge. He pleaded not guilty and is awaiting trial.

“Our patients’ and members’ privacy is a top priority, and we take protecting it very seriously,” Jonathan Friesen, Geisinger chief privacy officer, said in a statement. “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges, I am sorry that this happened.” 

Wierbowski’s attorney, Benjamin Johns, wrote in the lawsuit that the six-month gap between the breach discovery and notification to patients “virtually ensured that the unauthorized third parties who exploited those security lapses could monetize, misuse or disseminate,” personally identifying and personal health information.

No claims or insurance information, financial information or Social Security numbers were accessed in the breach, according to Geisinger.

The breach, though, will have “grave and lasting consequences” for those whose information was accessed and they “will suffer indefinitely from the substantial and concrete risk that their [personal information] will be misused and their identities will be (or already have been) stolen and misappropriated,” Johns wrote.

Information accessed could be used “for any number of improper purposes and scams, including making the information available for sale on the black-market,” he added,

The lawsuit claims negligence and unjust enrichment by both parties, as well as breach of fiduciary duty, breach of implied contract and violations of the Unfair Trade Practices and Consumer Protection Law by Geisinger.

In its June 24 statement, Geisinger encouraged patients who received notifications to review the information and call 855-575-8722 any time between 9 a.m. and 9 p.m. Eastern Monday through Friday, provide engagement number B124651.