What Happened in the Geisinger Data Breach?
A federal judge has granted final approval to a $5 million class action settlement involving Pennsylvania-based Geisinger Health and Nuance Communications, a Microsoft-owned healthcare technology company. The settlement resolves widespread legal claims stemming from a serious 2023 insider data breach.
The Breach Explained
On November 29, 2023, a former Nuance Communications employee — identified as Andre J. Burk, also known as Max Vance — illegally accessed sensitive Geisinger patient records. Critically, he did this just two days after Nuance terminated his employment. Nuance provided IT and clinical documentation services to Geisinger under contract, which gave its employees access to patient data.
Law enforcement officials requested a delay in public notification while they investigated the incident. As a result, Geisinger did not notify affected patients until June 24, 2024. Furthermore, the HHS Office for Civil Rights confirmed that the breach exposed the protected health information of 1,276,026 individuals. Burk now faces federal criminal charges under the Computer Fraud and Abuse Act for obtaining information from a protected computer.
Who Is Affected by the Settlement?
The court certified a settlement class of approximately 1.3 million individuals. Specifically, you qualify as a class member if your personal or health information was compromised during the November 29, 2023, data incident at Geisinger Health — or if Geisinger sent you a breach notification notice.
What Data Was Exposed?
The breach exposed a wide range of sensitive patient information. Compromised data included:
- Full names and dates of birth
- Home addresses
- Social Security numbers
- Medical record numbers
- Health insurance information
- Other medical details
Moreover, the exposed fields varied by individual patient, depending on what Nuance held on record.
What Compensation Can You Claim?
Option 1 — Out-of-Pocket Loss Reimbursement
Class members who suffered documented, unreimbursed losses directly tied to the breach can claim up to $5,000 per person. Reimbursable expenses include fraud-related charges, credit monitoring costs, bank fees, communication charges, and credit report costs. Additionally, members can claim up to two hours of lost time at $20 per hour, totaling up to $40.
Importantly, claimants must provide valid third-party documentation such as bank statements, credit card records, or receipts. Self-prepared documents alone are not accepted.
Option 2 — Alternative Pro Rata Cash Payment
Alternatively, class members who did not experience direct out-of-pocket losses can still receive a pro rata cash payment. This amount will vary depending on the total number of claims filed and remaining funds after deductions for attorneys’ fees, administrative costs, and service awards.
Option 3 — Credit Monitoring Services
In addition to cash payments, all eligible class members can enroll in a one-year credit monitoring and identity theft protection service at no cost.
How to File Your Claim
Filing a claim is straightforward. Eligible class members have two options:
- Online: Submit the claim form at the official settlement website, GeisingerDataSettlement.com.
- By Mail: Print and complete the paper claim form, then mail it to: Settlement Administrator – 83320, c/o Kroll Settlement Administration LLC, P.O. Box 5324, New York, NY 10150-5324.
For out-of-pocket reimbursement claims, always attach supporting documentation. For alternative cash payments and credit monitoring enrollment, no documentation is required — just submit the completed form and attest to your eligibility.
Key Deadlines to Remember
Missing a deadline disqualifies you from receiving benefits. Therefore, keep these dates in mind:
| Action | Deadline |
|---|---|
| Opt-Out of Settlement | February 17, 2026 |
| File Objection | February 17, 2026 |
| Final Approval Hearing | March 16, 2026 |
| Claim Submission Deadline | March 18, 2026 |
Settlement payments will begin only after the court grants final approval and resolves any potential appeals.
What This Means for Healthcare Data Security
Accountability for Vendors and Health Systems
The Geisinger lawsuit raised serious concerns about third-party vendor oversight in healthcare. Plaintiffs argued that Geisinger failed to ensure its vendors — like Nuance — maintained adequate cybersecurity controls. Similarly, Nuance faced allegations of insufficient system monitoring, weak network segmentation, and failure to comply with HIPAA rules and FTC guidelines.
Neither Defendant Admitted Wrongdoing
While both Geisinger and Nuance agreed to the settlement, neither party admitted liability. Both chose to settle primarily to avoid the financial and legal uncertainty of a prolonged trial. Notably, a Geisinger spokesperson confirmed that neither Geisinger nor its insurer will fund the settlement — the payment responsibility falls on Nuance’s side.
A Warning for the Healthcare Industry
This case, consequently, highlights a critical vulnerability across the healthcare sector: insider threats from third-party vendors. As healthcare organizations increasingly rely on external technology partners, robust access controls and prompt offboarding protocols are no longer optional — they are essential safeguards.
