Cyber Threat Actor: Former Geisinger Berwick employee
| Actor Type | Location | Known Incidents |
Insider - Disgruntled
|
United States of America
|
1 incident |
|---|
Profile
The threat actor is knownpublicly as a former Geisinger Berwick employee, an alias that reflects the individual's last known position before termination. The actor’s location is identified as the United States of America, with the specific incident occurring at a healthcare facility in Pennsylvania. This insider threat emerged from within the workforce of a regional health system that operates multiple campuses and a large health plan. No additional aliases or affiliations have been disclosed in open sources.
The actor’s activity was directed at a healthcare organization, specifically accessing patient records without a legitimate business need. The sector targeted is therefore the healthcare industry, and the geographic scope is limited to the United States where the provider operates. Investigators explicitly stated that there was no evidence of financial fraud, espionage, or intent to cause disruption, noting that the accessed information was not retained or used for malicious purposes. The absence of retained data or observable harm led investigators to conclude that the actor’s actions were not driven by typical cyber‑criminal or nation‑state objectives.
The observed tactics involved the misuse of legitimate employee credentials to view protected health information, representing an insider threat vector rather than external intrusion. No malware families, exploit tools, or custom tooling were referenced in the reporting, and the actor’s network activity showed no signs of data exfiltration or retention. The access pattern consisted of repeated, unauthorized queries of electronic medical records over an approximate one‑year period. This behavior aligns with a pattern of privilege abuse without the deployment of typical offensive cyber tools.
The only publicly reported operation linked to this actor is the Geisinger Berwick incident that began in June 2019 and was discovered in June 2020, affecting more than seven hundred patients whose names, dates of birth, Social Security numbers, medical details and contact information were viewed. Following the investigation, the employee was terminated and the organization offered affected individuals one year of free identity theft protection. No further campaigns or attributed operations have been documented in open sources. This case remains the sole documented example of the actor’s activity in the cybersecurity record.
