.png){kind=small}
In 2023, a former employee from Nuance Communications (a division of Microsoft), admitted to accessing and stealing records from 1.2 patients from their partner, Geisinger Health System.
The former employee was Max Vance, an engineer from Nuance Communications, a partner company of Geisinger Health. After his employment was terminated at Nuance, he was still able to access Geisinger patient data - and he did
According to court filings:
- The former employee - Max Vance - accessed records of 1.2 million patients
- Data included:
- Names
- Dates of birth
- Addresses
- Medical record numbers
- Admit/discharge codes
- Care locations
- Race and gender
- Names
- He used legitimate credentials tied to his employer, Nuance Communications
How was the data exfiltrated?
Unfortunately, this type of insider threat data exfiltration happens every single day. But still, how could this happen in practice? Aren't there policies set in stone to avoid this type of large scale data exfiltration? Not always.
Step 1: Legitimate Access Was Used
- The individual was a former principal healthcare interface engineer at Nuance Communications.
- Nuance provided IT services to Geisinger Health System.
- He used his existing Nuance credentials to access Geisinger’s systems.
Step 2: Direct Queries Against Production Systems
Using those credentials:
- He ran multiple queries directly against Geisinger servers.
- These queries were looking among numerous categories of private patient information.
- The data included identifiers, demographic information, and medical-related fields.
Step 3: Bulk Data Export to Files
After running the queries:
- The extracted data was compiled into two files.
- These files contained information on 1.2 million patients.
At this stage, the information was no longer just being viewed, it was being packaged for removal.
Step 4: Upload to Personal Cloud Account
He then:
- Uploaded the files into his personal Microsoft Azure account.
This is the first clear exfiltration boundary crossing:
- Data moved from the healthcare organization’s controlled environment...
- Into a personally controlled cloud tenant.
This step is where the actual damage was set in stone. It shows:
- Outbound data access, movement, and downloading to external cloud platforms was possible and undetected by their security provider.
- There were no preventative controls or automated safeguards in place to block large-scale uploads of sensitive data.
- The transfer and exfiltration proceeded without real-time alerting or remediation.
Step 5: Download to Local Device
From Azure:
- He downloaded the files to the local drive of his laptop.
- He also transferred data to a personal Samsung hard drive.
At this point, the data was:
- Outside the companies control.
- Outside the cloud staging account.
- In his physical possession and exfiltrated.
Step 6: Attempted Cover-Up
After downloading:
- He deleted his Azure account
- Cleared cloud metadata and history
- Cleared his internet browsing history
This indicates:
- Conscious effort to remove forensic traces
- Awareness that activity logs might be reviewed
Top 5 Risks of Former Employee Data Exfiltration
There are five main risks of employee data exfiltration of this magnitude.
1. Massive Exposure of Sensitive Data at Scale
More than 1.2 million patient records were accessed and removed from Geisinger Health System.
The compromised data included:
- Personally identifiable information (PII)
- Protected health information (PHI)
- Medical record identifiers
& more.
For healthcare organizations, this level of exposure carries elevated regulatory and legal consequences due to HIPAA and state privacy laws - the type of impact that could end a company entirely.
2. Reputational Damage and Loss of Trust
Healthcare is built on patient trust. When PHI is exfiltrated:
- Patients question data stewardship
- Partners reassess vendor relationships
- Boards demand oversight reviews
- Public confidence erodes
Reputational damage often outlasts financial penalties.
3. Litigation and Financial Impact
At least six civil suits were filed and consolidated into a $5 million settlement.
This type of risk is perhaps the most stark one when looking at the immediate impact of a data breach. But settlement cost rarely reflects total impact. Additional costs likely included:
- Incident response and forensic investigation
- Legal fees
- Regulatory reporting
- External communications
- Credit monitoring services
- Operational disruption
Insider incidents usually become multi-million dollar events - and they’re 100% preventable.
4. Regulatory and Compliance Exposure
Delayed patient notification (approximately seven months after discovery) increased legal scrutiny. For healthcare organizations, insider breaches trigger:
- Federal investigation
- State-level regulatory review
- Compliance audits
- Potential civil penalties
When insider risk intersects with healthcare data, regulatory exposure compounds quickly.
5. Erosion of Confidence in Access Governance
Lastly, the most strategic risk is the impact on the security program as a whole.This incident demonstrates that:
- Authorized credentials were sufficient to extract 1.2 million records
- Large query activity did not trigger containment
- Data could move to a personal cloud account
For security leadership, this creates uncomfortable board-level questions:
- Who has access to the data? Should they have access based on their role, scope, tenure, usual responsibilities?
- What are they doing with the data? Is it normal behavior or is it risky?
- How quickly can we detect anomalous behavior?
- How can we get our tools to talk to each other to know when data is moving?
- Can we remediate this type of anomaly or exposure as it's happening?
This shifts insider risk from an HR issue to a board-level security architecture concern.
How DoControl Prevents Insider Threat Driven Data Exfiltration
The biggest thing to note with this millions dollar data breach was that it was caused by a third party contractor that STILL had access to the sensitive files within the environment.
This happens more than one might think: Vendors are granted broad access to company data for legitimate business reasons, but when the engagement ends, those permissions are not systematically revoked. The access remains - even when the business need does not.
It happens to regular employees as well: a user gets over-permissioned, access patterns quietly change, sensitive data builds, files move between SaaS environments.
No single action looks catastrophic - but when they’re looked at together, with context, the signals tell a story.
Preventing insider-driven exfiltration requires connecting those signals, and acting before the data leaves the environment forever.
Here’s how DoControl approaches it.
1) Get real visibility into identity risk
You can’t prevent what you can’t see. Most organizations know who their employees are, but they don’t know:
- Which third parties (or former employees) still have active access
- What employees or contractors are accessing what data
- Whether or not that data access makes sense for them and their role
- Which employees are sharing externally or connecting to third party tools
- Which identities present elevated exposure risk
DoControl continuously builds a live risk profile for every identity by correlating:
- HR context (role, department, employment status, tenure, etc.)
- Business relevance of the access or activity
- Behavioral baselines of their access + sharing patterns over time
- Permissions across SaaS environments
This isn’t a static access review. It's an ongoing identity risk posture discovery.
If someone has the ability to extract millions of records, security knows - before they try.
2) Monitor behavior in context, not in isolation
Most insider activity doesn’t violate policy outright. It’s a slow deviation from normal behavior.
DoControl monitors user activity and benchmarks it against:
- User behavior (have they done this before? Are they working with a specific contractor that would require this?
- Department norms (does someone from R&D usually access sensitive sales data? Probably not…)
- Historical user patterns (is this user risky? Are they on a watchlist? Have they had a similar incident in the past?
- Data sensitivity levels of the files themselves
On its own, one simple access or sharing related activity is an alert that could seem harmless on the surface. Correlated together, they indicate risk. This is where context matters.
DoControl enriches detection with business intelligence from IdP, HRIS, and other systems to distinguish:
- Legitimate business activity
- From behavior that warrants intervention
This dramatically reduces noise while increasing precision. Security teams aren’t chasing alerts. They’re seeing prioritized insider risk.
3) Watch the data, especially when It moves
Exfiltration is rarely a single download. It’s staged movement.
Aside from our Insider Risk Management capabilities, DoControl’s context-based DLP continuously monitors sensitive data across SaaS applications and understands:
- What the data is (PHI, PII, IP, financial data)
- Who is interacting with it
- Whether that interaction aligns with role and business context
When sensitive data is shared externally, uploaded to personal cloud accounts, or moved in high-risk ways, it’s detected immediately. But detection alone isn’t enough.
4) Most SaaS Security solutions stop here, DoControl doesn't
Alerts don’t prevent breaches. Action does.
DoControl’s real differentiator is automated remediation in real time.
When high-risk insider activity is identified, the platform can automatically:
- Quarantine sensitive files
- Remove public or external sharing links
- Revoke specific permissions
- Suspend user access across SaaS applications
- Deactivate internal or third-party accounts
The exfiltration chain is interrupted before data leaves your control. This is how you eliminate exfiltration risk - not just detect it.
5) Reduce negligent employee risk along the way
Not all insider risk is malicious.
Sometimes it’s careless sharing, misunderstood policy, overexposed files, and the like.
This is why DoControl engages users in real time:
- Notifying them when policies are violated
- Providing guidance to remediate
- Reinforcing secure behavior
This builds a culture of accountability while reducing exposure that simply stems from negligence.
Conclusion
In the Geisinger case, the individual responsible has pleaded guilty. Civil suits were consolidated and settled for $5 million. Devices seized during the investigation contained remnants of the exfiltrated patient data. The legal chapter is largely closing.
But the operational and reputational impact doesn’t end with a plea agreement.
More than 1.2 million patient records were accessed and removed. For security leaders, this isn’t just a concluded criminal matter, it’s a case study in how insider risk materializes in modern SaaS environments.
As organizations expand across SaaS platforms, cloud infrastructure, third-party vendors, and distributed workforces, the traditional perimeter becomes less relevant. Identity becomes the control plane. Behavior becomes the signal. Data movement becomes the risk surface.
The question for security leadership is no longer:
“Could this happen to us?”
It’s:
“Would we see it early enough, and could we stop it in time?”
Insider risk prevention is no longer about investigation after the fact. It’s about continuous visibility, contextual monitoring, and automated response before exposure becomes breach.
-
Sources:
