Geisinger Health and former IT vendor reach $5 million settlement over insider data breach

Geisinger Health, a Danville, Pennsylvania-based healthcare provider, and its former IT vendor Nuance Communications reached a $5 million agreement to settle class action litigation stemming from a 2023 insider data breach linked to a former Nuance employee who accessed patient information after his termination.

Geisinger Health identified the unauthorized access on November 29, 2023, when former Nuance employee Andre J. Burk, also known as Max Vance, entered systems containing patient data two days after his employment ended. The information had been provided to Nuance for contracted IT services. Geisinger Health detected the breach and alerted its vendor. Nuance then revoked the individual’s access and opened an investigation, which found that protected health information belonging to more than 1.2 million patients had potentially been obtained. The data included names, dates of birth, Social Security numbers, medical details, and health insurance information.

Notification to affected individuals began on June 24, 2024, after a delay requested by law enforcement. The U.S. Department of Health and Human Services’ Office for Civil Rights received confirmation that the protected health information of 1,276,026 individuals was involved. Vance is now facing a federal criminal charge of obtaining information from a protected computer, with a trial scheduled for early January 2026.

Multiple lawsuits were filed against Geisinger Health and Nuance Communications in the wake of the breach. The cases were consolidated in July 2024 into a single action in the U.S. District Court for the Middle District of Pennsylvania. The consolidated complaint asserted that the defendants failed to maintain reasonable security measures to safeguard personal and protected health information. Allegations included insufficient oversight of vendor practices, inadequate system monitoring, limited network segmentation, and noncompliance with federal guidelines and cybersecurity standards. Claims included negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and requests for declaratory and injunctive relief. Geisinger Health also faced a breach of fiduciary duty claim.

Both defendants disputed the allegations but chose to settle to avoid the cost and uncertainty of a trial. District Court Judge Matthew W. Brann granted preliminary approval of the agreement on November 18, 2025. The settlement establishes a $5 million fund to cover attorneys’ fees, service awards, and administration costs, with the remaining funds designated for class member benefits.

The class includes 1,308,363 individuals who may receive a one-year credit monitoring and identity theft protection service. Class members may also file claims for reimbursement of documented, unreimbursed out-of-pocket losses tied to the breach, up to $5,000 per person. Instead of reimbursement, individuals may choose to receive a pro rata cash payment. The final approval hearing is set for March 16, 2026, and claims must be submitted by March 18, 2026.

Geisinger Health confirmed that Nuance Communications is issuing notifications to patients. Individuals have been advised to review health plan statements and report unfamiliar services to their insurers. A dedicated helpline was established for additional assistance at 855-575-8722, available from 9 a.m. to 9 p.m. ET Monday through Friday.