Stolen data complaint against Geisinger Health, Nuance Communications settled for $5M
On Monday, a judge approved a $5 million settlement that resolves civil litigation against Geisinger Health and Nuance Communications, stemming from an incident where a former employee from the latter stole medical records on roughly 1.3 million patients.
Those patient records belonged to Geisinger, a Pennsylvania-based nonprofit health system that contracted with Nuance Communications, a Microsoft subsidiary that provides speech recognition for the purpose of clinical notes and artificial intelligence that summarizes patient encounters.
The lawsuit was filed June 28, 2024, and the settlement was agreed to earlier this month. It has not been made final by a judge in Pennsylvania.
Victims of the breach have until March 18 to file a claim to get their portion of the settlement. It’s not clear how much each person will get, as that will depend on how many of the potential 1.3 million people sign on as beneficiaries.
However, under the terms of the agreement, Nuance and Geisinger will pay an additional $30,000 to cover litigation expenses—this includes awards to the five people who filed the initial complaint, which was later given class action status.
As of March 5, a day after the settlement was verbally agreed to by all parties, only 97,000 victims were signed up to get a direct cash payment.
Anyone wishing to sign up for credit monitoring protection can also do so at this time by joining the class of defendants. There is no other way to obtain the complimentary protection, lawyers representing plaintiffs confirmed.
To date, there is no known data trove on the dark web associated with the theft, nor is there any evidence the patient records were used for malicious purposes.
Nuance and Geisinger do not admit to any wrongdoing or further liability, as the settlement terms do not require them to do so.
Stolen records included names, birthdates, addresses, medical record numbers, details on treatments, insurance details and more. Geisinger operates 10 hospitals and 126 care sites across 45 counties in Pennsylvania. It sees over 3 million patients each year.
Thief pleads guilty
According to court documents, the former Nuance employee responsible for the data theft is a man named Max Vance, who was fired by the company in November 2023. Using his access credentials, he was able to log in to a database where records from Geisinger were stored and download them.
After an investigation, Vance was arrested in February 2024. As part of a plea deal, he admitted to the crime of obtaining information from a protected computer and was sentenced to three years of probation.
Police said they found the stolen data on a flash drive in his car labeled “prior employer” and were able to recover it. According to an arrest warrant, a search of his residence uncovered two firearms without serial numbers and equipment to make fake IDs.
He served some time in jail while awaiting trial and sentencing.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.