Back to Intelligence

Insider Threat: 1.2M Record Geisinger Breach via Nuance — Detection and Hardening Guide

SA
Security Arsenal Team
May 15, 2026
6 min read

The sentencing of a former Nuance Communications employee for the theft of 1.2 million patient records from Geisinger Health System is a stark reminder that the most dangerous threat often already has the keys. While the industry obsesses over external zero-days, this case highlights the devastating impact of insider threats and the critical failure of access governance within the Business Associate (BA) supply chain.

For defenders, this isn't just a news story about a conviction; it is a failure case study in Data Loss Prevention (DLP), privileged access management, and third-party lifecycle management. The breach involves the exfiltration of Protected Health Information (PHI) by a trusted insider, necessitating an immediate review of detection logic for bulk data transfers and privileged account auditing.

Technical Analysis

Threat Vector: Insider Threat / Privilege Abuse / Data Exfiltration

Affected Entities & Platforms:

  • Primary Victim: Geisinger Health System (Data Controller)
  • Compromised Entity: Nuance Communications (Business Associate / IT & AI Service Provider)
  • Data Type: PHI (Patient Names, DOB, diagnoses, medical record numbers)

Attack Chain Breakdown:

  1. Initial Access: The threat actor utilized legitimate credentials assigned as a Nuance employee supporting Geisinger's infrastructure. There is no evidence of technical exploitation (e.g., CVE exploitation); the "vulnerability" was the excessive access rights assigned to a human user.
  2. Discovery & Collection: The actor accessed sensitive databases or file repositories containing patient records. Given the volume (1.2M records), the actor likely utilized automated scripting or bulk export tools rather than manual copy-paste.
  3. Exfiltration: The data was moved outside the authorized corporate boundary. In cases of this magnitude involving insider actors, exfiltration typically occurs via:
    • Removable Media: Copying to USB drives (often bypassing network DLP).
    • Cloud Storage: Uploading to personal file-sharing services (e.g., Dropbox, OneDrive personal).
    • Direct Database Dump: Using utilities like bcp (Bulk Copy Program) or SQL management tools to export flat files.

Exploitation Status:

  • Confirmed Active Exploitation: This is a historical confirmed breach leading to legal sentencing.
  • Technique: Abuse of legitimate privileges (MITRE ATT&CK T1078 - Valid Accounts).

Detection & Response

Detecting insider threats requires shifting from "signature-based" detection to "anomaly-based" hunting. We need to identify when a trusted user behaves like a thief—specifically, attempting to move high volumes of data.

SIGMA Rules

YAML
---
title: Potential Mass Data Export via PowerShell
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects attempts to export large amounts of data or iterate through database objects using PowerShell, common in insider data theft.
references:
  - https://attack.mitre.org/techniques/T1048/
author: Security Arsenal
date: 2025/04/02
tags:
  - attack.exfiltration
  - attack.t1048
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Export-Csv'
      - 'Out-File'
      - 'Copy-Item'
  filter_large_scale:
    CommandLine|contains:
      - '-Recurse'
      - 'Get-ChildItem'
  condition: selection and filter_large_scale
falsepositives:
  - System administration backups
  - Legitimate reporting scripts
level: high
---
title: Suspicious Removable Media Usage (USB Mass Storage)
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects mass file copy operations to removable media, a common vector for insider exfiltration of large databases.
references:
  - https://attack.mitre.org/techniques/T1052/
author: Security Arsenal
date: 2025/04/02
tags:
  - attack.exfiltration
  - attack.t1052
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\robocopy.exe'
      - '\xcopy.exe'
      - '\cmd.exe'
      - '\powershell.exe'
    CommandLine|contains:
      - ':\\'
  filter_drive:
    CommandLine|contains:
      - '\\?\\Volume'
      - 'removable'
  condition: selection and filter_drive
falsepositives:
  - Authorized user backups to USB
level: medium
---
title: SQL Bulk Copy Program Usage
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects execution of bcp.exe or similar bulk export utilities, which are frequently used to dump entire database tables during insider theft.
references:
  - https://attack.mitre.org/techniques/T1048/
author: Security Arsenal
date: 2025/04/02
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\bcp.exe'
      - '\sqlcmd.exe'
    CommandLine|contains:
      - 'queryout'
      - 'out '
falsepositives:
  - Legitimate DBA administrative tasks
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for high volume of file modifications or creations in user directories
// indicative of bulk data staging for exfiltration.
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath contains "Users"
| extend FileName = tostring(split(FileName, ".")[0])
| summarize Count = count(), Timestamp = max(Timestamp) by AccountName, DeviceName, FolderPath
| where Count > 100 // Threshold for bulk operations
| sort by Count desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for large compressed archives often created to stage data for theft
-- focusing on RAR, ZIP, or 7z files created in user profiles.
SELECT FullPath, Size, Mtime, Sys.gid as UserId, Sys.uid as UserUid
FROM glob(globs="%%Users\%%\*.zip", root="/")
WHERE Size > 10485760 // Files larger than 10MB
  AND Mtime > now() - 7d

-- Supplemental: Check for recent USB drive connections
SELECT SystemTime, DeviceId, VendorId, ProductId
FROM wmi(query="SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2")
WHERE SystemTime > now() - 7d

Remediation Script (PowerShell)

PowerShell
# Audit Script: Identify Active Accounts for Terminated Employees
# This script checks AD for users who should be disabled but are not.
# Useful for validating the gap that allowed the Nuance breach.

Import-Module ActiveDirectory

# Define an OU or specific group where third-party/contractors reside
$targetOU = "OU=External Contractors,DC=domain,DC=com"

# Get enabled users in the target area
$riskyUsers = Get-ADUser -Filter {Enabled -eq $true} -SearchBase $targetOU -Properties LastLogonDate, Description

# Check for users with no logon in 90 days but still active (potential stale accounts)
$staleAccounts = $riskyUsers | Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) }

if ($staleAccounts) {
    Write-Host "[!] CRITICAL: Found active accounts with no logon in 90 days:" -ForegroundColor Red
    $staleAccounts | Select-Object Name, SamAccountName, LastLogonDate, Description | Format-Table
} else {
    Write-Host "[+] No stale active accounts found in target OU." -ForegroundColor Green
}

# Export to CSV for remediation ticket
$staleAccounts | Export-Csv -Path "C:\Temp\RiskyThirdPartyAccounts.csv" -NoTypeInformation

Remediation

1. Immediate Access Governance Audit

  • Action: Conduct a manual review of all privileged accounts held by third-party vendors (like Nuance). Validate if every active account has a current ticket or authorization.
  • Automation: Implement Identity Governance and Administration (IGA) tools to automatically trigger access reviews 30 days before a contract expires.

2. Enforce "Just-in-Time" (JIT) Access for BAs

  • Action: Third parties should not have standing administrative privileges. Implement Privileged Access Management (PAM) solutions requiring elevation requests for specific time windows.
  • Vendor Guidance: Refer to NIST SP 800-53 Rev 5 controls AC-6 (Least Privilege) and AC-17 (Remote Access).

3. Implement DLP for Database Staging

  • Action: Configure DLP policies to flag or block the creation of compressed files (ZIP, RAR, 7z) containing high-volume data or specifically tagged PHI keywords on endpoints.
  • Configuration: Block bcp.exe and sqlcmd.exe for general users; restrict usage to dedicated jump hosts with session recording.

4. Disable Removable Media

  • Action: Group Policy Object (GPO) should be applied to deny write access to removable storage for all non-IT endpoints, especially those accessing PHI.
  • Command: deny_write on USBSTOR via GPO.

5. User and Entity Behavior Analytics (UEBA)

  • Action: Deploy UEBA solutions (available in Sentinel or M365 Defender) to baseline "normal" data access volumes. Alert on deviations, such as a user accessing 1,000+ records in a single session where their baseline is <50.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachinsider-threatdata-exfiltrationnuance-communications

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action