The healthcare company Geisinger Health, based in Danville, Pennsylvania, and its past IT supplier Nuance Communications, Inc., decided to pay $5 million to resolve the class action litigation associated with a 2023 insider data breach that involved an ex-Nuance Communications staff member.
On or about November 29, 2023, Geisinger Health discovered that Andre J. Burk (also called Max Vance), an ex-Nuance Communications employee, viewed the sensitive information of Geisinger Health patients after Nuance Communications ended his employment contract. Nuance Communications had access to the information to accomplish the services it provided. Geisinger Health, instead of Nuance Communications, discovered the breach, and it notified the IT vendor.
With HIPAA, business associates of HIPAA-covered entities need to be HIPAA compliant. They need to make sure that the access rights of employees are blocked immediately upon work termination. When informed of the unauthorized access, Nuance Communications ended the former employee’s access rights and started an investigation, which showed that the ex-employee had likely acquired the protected health information (PHI) of over 1.2 million Geisinger Health patients, which includes names, birth dates, medical data, medical insurance details, and Social Security numbers.
The impacted persons started receiving breach notification letters on June 24, 2024. The delay in notifying the victims was requested by law enforcement. The HHS’s Office for Civil Rights was informed that the PHI of 1,276,026 individuals was affected. Max Vance is currently facing criminal charges due to the data theft, one count of obtaining data from a protected computer. The schedule of his trial is scheduled at the beginning of January 2026.
Geisinger Health and Nuance Communications, Inc. faced multiple lawsuits because of the data security breach. In July 2024, the lawsuits were consolidated into one action, In re: Geisinger Health Data Security Incident Litigation, which is filed in the U.S. District Court for the Middle District of Pennsylvania. According to the consolidated lawsuit, the defendants allegedly failed to employ and maintain acceptable and sufficient security measures to protect the personal data and PHI of the plaintiffs and class members.
The lawsuit claimed that Geisinger Health did not ascertain that its vendors used proper security measures; that Nuance Communications did not adequately monitor systems for attacks, did not have enough network segmentation, and did not follow the HIPAA Rules and FTC guidelines; and the defendants failed to comply with industry-required cybersecurity protocols. The lawsuit stated claims of breach of fiduciary duty against Geisinger Health, and declaratory judgment and injunctive reliefbreach of implied contract, negligence, negligence per se, breach of third-party beneficiary contract, and against the two companies.
The defendants rejected the allegations in the lawsuit; nevertheless, they decided to negotiate without admitting wrongdoing to steer clear of the cost and uncertainty of a trial and associated appeals. District Court Judge Matthew W. Brann gave preliminary approval of the settlement on November 18, 2025. According to the terms of the settlement, a $5,000,000 settlement fund will be created and allocated for the attorneys’ charges and expenses, settlement management costs, and service awards. The remaining funds will pay for the class members’ benefits.
The 1,308,363 class members could opt to receive credit monitoring and identity theft protection service membership for one year. Additionally, each class member can submit a claim for a refund of recorded, unreimbursed out-of-pocket expenses up to $5,000 because of the data breach. Another option is to claim a pro rata cash payment. All claims must be submitted on or before March 18, 2026. The schedule of the final approval hearing is March 16, 2026.